Strategy, according to Dr. W. Christian Buss, former Professor of Strategic Management at the Fox School of Business at Temple University, can be summed up in three questions.
- What is the company’s present situation?
- Where does the company need to go from here?
- How should it get there?
The answer to the third question is the strategy.
We are currently dealing with environments in healthcare that have so many internal and external factors that they are unpredictable. Predictable strategy models don’t work with the level of disruption occurring today.
According a 2012 Harvard Business Review article entitled, Your Strategy Needs a Strategy, there are four types of strategy: Classical, Adaptive, Shaping, and Visionary.
Classical is for predictable environments and organizations that are hard to change. Adaptive focuses on constant refinement of goals and tactics, and the ability to quickly shift, acquire, or divest resources. A shaping strategy focuses on building an ecosystem of Adaptive companies that collaborate by defining new markets, standards, platforms, and practices. The visionary type defines a future and is focused on building the path to get there.
In the modern healthcare environment, we are moving toward a shaping strategy. While many organizations in the past relied upon a classical or visionary strategy to move forward, this is no longer the case. Providers are now part of an ecosystem of payors, referring providers, partners, and interchanges that work together to accomplish the mission of healthier patients (the most prominent example being population health).
What this means is that processes and functions once relegated to IT are now prominent business-level functions. One of those functions is security. We’ve seen more and more that it has a significant impact not just in technology, but across the entire organization. A strong Information Risk Management team can not only help detect and address issues across the business, it can provide frameworks and mechanisms for dealing with uncertainty across the entire organization. This is key to being able to operate in an unpredictable environment.
Keeping this group wholly under IT, however, removes an important tool that benefits the rest of the organization. It also categorizes information risks along with IT risks, which shouldn’t be done unless you use the same enterprise risk management scoring model.
On the other hand, an overarching risk strategy can help address issues on an organization level. It also brings your customers into the overall resolution plan, whereas with the IT risk management plan, it’s clear that IT owns the plan. People aren’t going to work as hard if they don’t feel a sense of ownership. And so, a significant amount of communication is required to explain opportunities for both working together and improvement.
An overall plan for the organization needs to fit the mission and be focused on continual improvement, while an IT plan is normally focused on a smaller scope. The best advice is to be completely open as to what your plans are, continually communicate, and keep all team members involved. You won’t get any assistance if you don’t give it.
It’s important to present a realistic view of the requirements in a distributed environment, where interfacing between formerly disparate groups is now the norm. This involves having a strong Information Security team that advises the business on information risk, and collaborates with not only IT, but also non-IT teams across all parties. We need to ensure that requirements and risk management strategies are representative of our needs and capabilities, so that we can better deal with uncertainty.
Remember, this is a world that did not exist 10 years ago. When I started in this business, most CIOs openly discouraged collaboration between competitors on risk-related issues. The material threats to businesses caused by vague/non-specific contract language, unsecured partner portals, interfaces, and websites, along with a constant barrage of malware and ransomware, has opened the floodgates. Mobile device security, virtual Desktops, a strong uptick in mergers and acquisitions, and a corresponding increase in fast-moving strategic partnerships have only increased the urgency.
CISOs are talking at a national level, both through informal (mailing lists and regional meetups) and formal (NH-ISAC, REN-ISAC, HIMSS, AEHIS/CHIME, and innumerable conferences) mechanisms. And while we know there have been long-standing conversations between CIOs, CISO groups are more focused on a shared vision of reducing risk in the face of increasing uncertainty.
Security/Information Risk, due to its focus on risk management and mitigation, is uniquely focused to assist organizations in strategy. The risk management frameworks we use — such as NIST or HITRUST — focus on continual improvement, and are based on an adaptive strategy. Current collaboration efforts among CISOs turn this adaptive strategy into a shaping one, as we share tools and frameworks to address risks across multiple organizations.
Healthcare in general is still moving from a classical to an adaptive strategy. The end goal is for affiliated partners to utilize a shaping strategy. To effect this transformation, we need people advising our teams who understand the risks and know how to mitigate them. By bringing Information Security/Information Risk Management to the table, organizations can successfully collaborate with others and move forward with minimal risk. Instead of it being part of a cost center, Information Security can deliver strategic value — if it’s used the right way.
This piece was written by Mitch Parker, Executive Director, Information Security and Compliance at Indiana University Health, and Adjunct Lecturer of Health Informatics at Indiana University–Purdue University Indianapolis. Previously, he held the CISO role at Temple University Health System for eight years.