Strategic Change and How to Make it Stick with Security

Conferences are great places to learn about new technologies and their applications, and how other health systems are applying them to address length of stay, cost reduction, lowered risks, or increased efficiency.

Where we get into trouble is when we attempt to build and execute on strategies, and leave out critical components. What I mean by this is when an executive goes to a conference or reads an article, and hears that X technology is going to be the wave of the future, and that organizations who do not implement this as part of their strategy are going to be left behind.  This often comes with little to no support or evidence for this statement, however they act anyway.

First of all, Healthcare is a highly competitive market, with multiple local, regional, and national players all fighting for dominance and limited resources. It’s an industry where the first-mover advantage is considered absolutely critical to achieve dominance, and the marketing of every healthcare provider emphasizes that.

Secondly, it’s an industry of mimicry. There are a few larger, mostly academic-affiliated providers and health systems, considered the elite. Normally, C-suite executives from these institutions headline conferences such as HIMSS, Becker’s IT + Revenue Cycle, CHIME, EXPO.health, or the American Hospital Association. When these leaders speak, those in attendance listen, and they attempt to implement what these institutions do as best practice. Also, there are numerous consulting firms that advise senior executives as part of relationship management as to what the trends are and what they should be focusing on.

The meaning of this is that you have a lot of executives that want to say they’re the first to implement something that these large institutions did, or what the consulting firms spoke about, as they consider whatever these name institutions do as a differentiator between them and the competition. This often translates into them giving broad directives to their teams to move on these initiatives, and to execute them to become market leaders.

Often, this leads to engagements with these large consulting firms to assist in creating or reformulating strategies around how to build around these new technologies. There’s a gigantic amount of research done, and recommendations made to C-suites. Money is expended, sometimes in very large amounts, and the strategic play may or may not work.

What can we do better?

The first part is to see if this actually solves a business problem. There’s often a phrase I use, “A solution looking for a problem”. If you don’t know what problems a strategic solution can immediately solve, then it’s not a good fit at the current time.

A good example of this is Blockchain. There are many great use cases for it around verifying and validating data. However, the way that it is being marketed and sold has been around FOMO. Executives are being told that they need to have competence and a strategy around it, or they will be missing out. Examples from large health systems and pharmaceutical providers are being held up as use cases of success. There are any number of firms offering services to assist with it. This FOMO is actually causing doubt around the validity of this technology, as the marketing doesn’t discuss what it can do to solve problems executives may have. There are Blockchain companies doing great work, like Hashed Health, Consensys, and Good Shepherd Pharmacy. The problem is with all of the other companies selling a FOMO strategy, you don’t hear about it as the noise drowns them out.

The second part is user involvement. Your users have to execute this strategy. Strategy involves change. Strategic change affects all of our users. Where I have seen this fail is when strategic analysis takes place at the upper levels, without consideration for the team members who will be executing it. One observation about healthcare is that most of the work is done by people who aren’t highly paid. However, they value the services they provide, and take pride in their customer service. We have to keep them in mind and discuss what we do in terms of engagement. Excellent team member engagement in the strategic development process with an aim toward improved patient and customer satisfaction is a must. It will also let you know where it falls flat. You need to hear where it doesn’t work to know where it can work better.

I have a rule with my team. If you can’t explain what you’re doing in 30 seconds to someone, why are you doing it? You have to be able to explain how the strategic initiative will help improve engagement and the organization. As part of this, we’re expected to understand use cases and that we have spoken with customers who actually have a need, and communicate that. Knowing your use case cold and what it solves for can be explained in less time.

The third part involves security. Ransomware has proven that you cannot take shortcuts with security, or bolt it on anymore. Security holes will be taken advantage of to extort your business for money. This will lead to increased employee disengagement, patient dis-satisfaction, and significant reputational harm. Security is no longer a nice to have. It’s a must. Poorly executed initiatives don’t take this into consideration and put your patients at risk.

While in the past this was not a concern, the fact is that multiple providers have fallen victim, and that the lack of operational management controls around systems is the reason they can do this undetected for months at a time. Focus on security and operational management as part of the strategy, not as something do be done later.

If a consultant tells you otherwise, they should not be offering their services for money, and you should not listen to them because they will put your patients at risk. Develop your own internal resources or hire better consultants.

We need to advance healthcare. We need great strategic initiatives to improve patient care and solve for the future (thanks Sandy Gomberg!). However, we cannot do this in a vacuum. We need to take multiple factors into consideration to succeed.

About the author

Mitch Parker, CISO

Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years’ experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health’s patients and team members.

   

Categories