Pandemic allows CIOs to move with new speed, but cyber threats lie in wait

Agility, flexibility and security are the focus of the latest installment in our COVID-19 era lessons learned feature series, which this time showcases four CIOs, including Mayo Clinic's Cris Ross.
By Bill Siwicki
12:19 PM

The Mayo Clinic in Rochester, Minnesota, home of CIO Christopher J. Ross, one of the four health IT leaders in this ninth installment of Healthcare IT News' Health IT Lessons Learned in the COVID-19 Era feature series.

Photo: Mayo Clinic/Tripp/Flickr, licensed under CC BY 2.0

When the COVID-19 pandemic struck the U.S. early last year, life slowed down, even ground to a halt in many circumstances. But for health IT, things sped up.

When new technologies were needed to solve fast-moving healthcare challenges, hospitals and health systems could not afford to wait the time it normally took to stand up IT. They needed help fast. 

CIOs and their teams came through, learning to produce quality work in record time. But at the same time, bad actors were taking advantage of the pandemic-fueled chaos to strike healthcare provider organizations at their most vulnerable. Despite some early chatter of a hacker pandemic "ceasefire," it quickly became clear that cybercriminals were moving forward. 

This is the ninth installment in Healthcare IT News' Health IT Lessons Learned in the COVID-19 Era feature story series. The focus this time is on speed and security, with three CIOs and an IT director chiming in. They include:

  • Jason Cherry, director of information systems technology services at Lexington Medical Center in West Columbia, South Carolina. (@LexMedCtr)
  • Fernando Cortez, CIO and information security officer at La Clínica de La Raza, based in Oakland, California, with more than 30 clinics spread across three counties.
  • John Jay Kenagy, senior vice president and CIO at Legacy Health, based in Portland, Oregon. (@OurLegacyHealth)
  • Christopher J. Ross, CIO at Mayo Clinic in Rochester, Minnesota. (@MayoClinic)

Rapidly prototyping telehealth

For Cherry of Lexington Medical Center, the lessons he and his team learned when rapidly prototyping their telehealth solution were very important.

"Our IT team members care deeply about the services we provide to our customers, and they want our solutions to be 100% perfect before they deploy them to the organization," he said. "That attention to detail has really helped us reduce downtimes when performing routine maintenance on our EHR. However, when customers request new technologies or services, we really need to take a different approach."

One reason Lexington's integrated video visits succeeded was that the IT team had excellent feedback from several physicians before the team finalized the product.

"We presented them with a solution that was about 80% complete and did the primary functions they expected," he said. "We explained that this solution wasn't a finished product, and we really needed their input as part of a pilot offering. This process made some of the team nervous, because they felt as if we were releasing an inferior product to our customers, but the feedback from the doctors allowed us to quickly fine-tune the remaining 20%."

A truly collaborative project

Cherry believes those adjustments helped drive adoption of the solution throughout the practices, and that the project truly was a collaboration.

"Lexington Medical Center applied those lessons in agility when, later in the year, we were tasked with providing IT solutions for mobile COVID-19 testing sites, and then mobile COVID-19 vaccination sites," he recalled. "The team quickly mocked up a model for all wireless connectivity and PCs that these clinics would require to treat patients. We worked closely with the care team to make sure we understood all requirements."

"We are extremely fortunate to have physicians and nurses who are very engaged and eager to interact with IT. I think their enthusiasm makes a huge difference in the success of IT projects."

Jason Cherry, Lexington Medical Center

This joint team quickly built a solution that provided a consistent and repeatable experience that delivered the quality care patients expect, he added. As long as there was electricity, staff realized they had the ability to see patients almost anywhere, he said.

"We are extremely fortunate to have physicians and nurses who are very engaged and eager to interact with IT," Cherry noted. "I think their enthusiasm makes a huge difference in the success of IT projects. Another secret weapon in our arsenal is that in her spare time our CIO is a practicing physician in the organization's emergency department and uses our IT solutions when treating patients."

Candid physician feedback

The CIO's practice also allows her to get more candid feedback from peer physicians on whether the IT team's solutions work for caregivers and how they could be improved. This feedback was critical to fine-tune the solutions that brought so much success to the telehealth project, Cherry noted.

"The most important thing when applying lessons learned is to create an environment and a culture where it is acceptable to fail as long as you fail correctly and quickly," he advised. "Failing correctly means that, even though everyone on the team was involved and all other factors went right, the solution just wasn't a fit for the organization. If something fails because a team member is not engaged or is destructive to the project, you fail the wrong way."

Lessons learned from failing the right way help make services better in the long run and help the team build skill sets, he said.

"Failing quickly allows us to reallocate resources from a project that will never reach fruition to other endeavors," he said. "The longer we drag out a doomed project, the more expensive it becomes for the organization."

Customer feedback also is essential to providing services that people want to use, Cherry added.

"No one likes things forced on them, so involving your customers in the products they use will benefit everyone," he said. "This concept is one intangible that Lexington Medical Center does really well. We have an IT team that is in tune with their customers' needs at all levels. There's always room for improvement, but the organization encourages growth by not being punitive."

Lexington's senior leadership is engaged, involved and supportive of efforts to move forward, he added.

Security and business associate agreements

The quick change to work from home and the increased need for telehealth, from both inside the four walls of the hospital and for remote users, brought with it the need to insure information security and cybersecurity, said Cortez, of La Clínica de La Raza.

"And although there are many elements to be considered and addressed for information security, one place where the work begins is through ensuring that a robust business associate agreement is in place with particular vendors who offer telehealth systems and services," he said. "This is important, especially because PHI in transit and at rest must be appropriately secured."

"The need for a strong BAA cannot be overstated and is a critical first step for information security. This, even while the pandemic is raging."

Fernando Cortez, La Clínica de La Raza

During the early days of the pandemic, when change was occurring quickly, it often was difficult to negotiate a robust BAA, with many vendors instead choosing basic language that only met federal requirements, he recalled.

"As well, many vendors would not sign or even consider our boilerplate BAA, which is stronger and addresses California state HIPAA requirements," he noted. "As a result, vendors that would not consider stronger BAA language made it difficult to proceed to contracting for telehealth systems and services. The need for a strong BAA cannot be overstated and is a critical first step for information security. This, even while the pandemic is raging."

La Clínica de La Raza will continue to maintain a posture where the requirement for strong BAA language is paramount.

"Every conversation with a vendor prior to contracting includes a discussion about the BAA," Cortez said. "And the BAA is as important a document as is the contract language itself. In some cases having legal counsel who can help negotiate BAAs especially with respect to state requirements is critical."

Agility and flexibility are key

The biggest lesson Cherry of Lexington Medical Center learned during the past year was how agility and flexibility are key for modern health IT environments. He says healthcare organizations can be both of these things while still protecting patient safety and maintaining appropriate security posture. Thinking outside the box does not necessarily have to mean throwing out one's fundamental principles.

"For example, the culture at Lexington has always valued relationships," Cherry noted. "Our doctors absolutely preferred treating their patients in person to connect with them. There was not an emphasis on telehealth prior to the pandemic, because there was no real demand for it. Obviously, that demand changed drastically at the beginning of the pandemic."

The IT team worked diligently to provide a stop-gap solution to doctors while it built the desired end state.

"With the Centers for Medicare and Medicaid Services relaxing telehealth rules, we could use platforms not previously considered to get the doctors set up and started with telehealth," he explained. "The entire organization knew, however, that those rules would eventually tighten up again, so we would need a more compliant solution.

"We worked with our electronic health record vendor to implement a solution that met all pre-pandemic CMS requirements and integrated into our EHR, which our stop-gap solution did not do," he continued. "From design to implementation, we spent approximately three weeks implementing our long-term solution. It was like going from zero to 60 for telehealth in no time."

Quality relationships and flexibility

The IT team could not have done it without the quality relationships it had forged and the flexibility of the team itself, Cherry said.

"We built a rapid prototype of the solution and then recruited a few key physician champions to try it and provide feedback," he said. "This process was invaluable, because we could make important tweaks to the finished product to really meet physician needs. It also met all outstanding cybersecurity requirements.

"After that feedback, we began to roll out the solution to our physician practices," he continued. "In the beginning, our limiting factor was webcam supply, because we weren't the only ones suddenly needing them. We provided at-the-elbow support for physicians and opened bridge lines with all needed IT resources to support quick resolution to any issues."

As Lexington Medical Center's IT team began to scale up the deployment, an interesting thing happened.

"Doctors wanted the telehealth solution and wanted to know when it would be their turn to get it," Cherry recalled. "Our CIO did a phenomenal job as the front door for physician requests, and helped us prioritize the ever-growing list of deployments. Personally, I was extremely proud of how well this interdisciplinary team banded together to attack a problem and provide the right solution instead of the right-now solution."

Leveraging the lessons learned moving forward

As the organization starts to emerge from the pandemic, it needs to leverage these lessons in agility and flexibility, he added.

"I think doing so will be the real challenge moving forward," he said. "Without the driving force and necessity to be agile from the pandemic, how does a modern health IT team continue to build on those lessons? One way I have taken on this challenge is by restructuring my team into more of a DevOps model.

"I have tasked a group of people with providing rapid deployments for any organizational projects deemed critical," he explained. "I provide overall direction on organizational needs, but the team is empowered to work with the rest of the organization to deliver solutions that they need. The IT team's goal is to provide services that the organization wants to use instead of those it's forced to use."

The goal of the development team is to automate repetitive processes to remove errors so the IT team can focus its human capital on initiatives that make a big difference to the organization.

Focusing brainpower on higher value projects

"Since we have many great minds on our IT teams, removing mundane tasks from day-to-day work is critical to using their brainpower for higher-value projects," Cherry said. "The ops team has an equally important role of keeping our infrastructure running and performing at the level the organization expects."

The more front-facing clinical IT teams reorganized into service line groups to help support customers by workflow instead of specific EHR modules. IT continues to adjust its structure to ensure it continues to meet Lexington's needs.

"We also need to remember to keep the focus on our customers and what they need," Cherry noted. "I like to look at other industries for inspiration on what we should do. For instance, we are working to provide a single place for our customers to request something from IT without having to go to multiple systems or know IT jargon. It should be as simple as looking for something on Amazon and adding it to your cart."

The ultimate goal is to present solutions to doctors and nurses before they even know they need them. It's a bit of a stretch goal, he said, but he thinks mature digital healthcare organizations will be there.

"The best way to understand what our customers need is to meet them where they work to see how they use our IT solutions," he said. "Countless times in my career, a solution worked fantastic in a test lab, but it did not meet customer requirements when released into the real world. I have found that nurses will not let bad IT get in the way of patient care. They are extremely inventive in finding ways around, under, over or through ineffective IT offerings."

If IT isn't adding efficiency or safety to their jobs, IT becomes more of a hindrance than a help. However, IT would never know if it didn't see how its solutions affect workflows, he added.

Moving very fast

Ross of Mayo Clinic agrees with Cherry on the lessons of agility and flexibility, noting he and his team could move very fast and take calculated risks over the past year without hurting patients, clinicians or business operations.

"We needed to send an extra 20,000 people to work at home," he noted. "Without the pandemic, we would have had all kinds of controls on who got equipment, how it was used and so on. It wasn't a mad dash for the door, but it was pretty close to it. We got equipment home, then we put controls on it."

"Without the pandemic, we would take years to study that and wring our hands. Instead, we figured out how to deploy Microsoft Teams for collaboration and provide dual support for Teams and Zoom. We don't want to take unnecessary risks, but we proved we could be agile and quick."

Christopher J. Ross, Mayo Clinic

Mayo Clinic needed to increase its virtual visits from 4% of visits to 85%, he added.

"We just scheduled them and figured out how to make it work for patients and clinicians," he recalled. "We decided that even after the pandemic ends, our administrative workers will work from home. Without the pandemic, we would take years to study that and wring our hands.

"Instead, we figured out how to deploy Microsoft Teams for collaboration and provide dual support for Teams and Zoom. We don't want to take unnecessary risks, but we proved we could be agile and quick."

Work-at-home has presented some challenges, Ross added.

"But it also creates opportunities," he said. "We are already hiring key talent in cities around the country in ways that we wouldn't have a year ago. We are not simply taking our in-office tools home, we're trying to retool collaboration and help people embrace new ways of working."

Intensifying cybersecurity threats

"An obvious lesson that we ignore at our peril: Cyber threats are going to intensify," Ross stated. "The SolarWinds debacle was a rude awakening for everyone in IT. Healthcare wasn't specifically targeted by those attacks, but we are in general less defended than other industries. We've seen our general lack of protection in the ransomware attacks that are aimed at healthcare organizations."

Healthcare has some baked-in vulnerabilities in its medical devices, open campuses, and, for many, researchers who prize academic freedom, he said.

"We cannot eliminate those vulnerabilities, though in the mid and long term the medical device manufacturers have to find a better way to work with regulators to stop exposing us to unacceptable risks," he said. "We all need to implement compensating controls and protections, and to mitigate unacceptable risks."

Mayo Clinic's defense posture is multi-part.

"But we know that software-as-a-service and platform-as-a-service capabilities are inherently more secure and segregated, and provide less vulnerability than on-premise computing," he explained. "We sold our major data center six years ago and are moving all we can to SaaS and PaaS providers with a strong 'trust but verify' ethos."

Adding cybersecurity resources

Cortez, of La Clínica de La Raza, is on the same page as Ross when it comes to cybersecurity.

"As the pandemic worsened, the world has seen an increase in cybercrime," he observed. "Healthcare as an industry is a primary target. Insuring cybersecurity from everything between phishing attacks, direct hacking attempts and ransomware is a critical consideration.

Adding resources, both staffing and systems, can help to stay on top of the daily needs in this area. And make sure there is a budget to support the effort.

"Cybersecurity is everyone's responsibility. It's a team effort and requires an all-hands-on-deck approach," he added. "To this end, providing for staff training can be a powerful tool in the defense of cybersecurity assets. Know your systems, and establish a security plan and a process. Bring in qualified consultants to assist in areas where you know you need help and advice."

Stay educated as to what is happening with respect to healthcare and cybersecurity topics. Plan for the worst and train IT staff to be ready to respond quickly, he said.

"Cybersecurity has to continue to be a critical component of the overall information technology posture," Cortez said. "To achieve this goal requires that everyone, including executive leadership, is involved in the application of systems, processes and training to support cybersecurity. The quick need to respond to the pandemic has served to magnify the areas of cybersecurity that must be addressed. And focusing on these will lead to a stronger cybersecurity posture."

The beauty of video collaboration

On another front, Kenagy of Legacy Health says a major lesson he and his team learned throughout the pandemic has been the beauty of collaborating virtually, via videoconferencing technology.

"At Legacy, all of our hospitals are maybe a 30-mile drive away," he said. "For Legacy Health, and healthcare in general, it's a very social environment, a social culture. We would drive to get together to collaborate, and that introduces the risk of virus spread during a pandemic. So, with government bans from meeting together and working in the office, we very quickly adopted Microsoft Teams."

"With government bans from meeting together and working in the office, we very quickly adopted Microsoft Teams. I don't think we're going to go back to how it was before."

John Jay Kenagy, Legacy Health

So the tool for collaboration quickly became video, and there was great adoption, he added.

"I don't think we're going to go back to how it was before. We'll go back to some meetings, but I think that things like the negative impact on the environment of having 12 people from eight different hospitals driving is counterproductive. The ability of our administrative services to work from home and really do that without missing a beat for operational partners, the frontline heroes who are in the hospital every day, makes me proud."

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.