When a hospital wants to connect with community providers but runs into resistance, what’s a CIO to do? For Cletis Earle, the answer is a “road show.” By that, Earle is referring to the organization’s efforts to visit physicians, educate them about the local RHIO, and give them to nudge – and support – they need to climb on board. In this interview, Earle talks about St. Luke’s “localized HIE strategy,” his strong focus on security and data loss prevention, and the challenges in planning when possible mergers are looming. He also talks about the range of innovation happening at his organization, from population health alerts to adding bus routes to help transport patients between facilities.
Chapter 3
- Security — “the biggest pie in the sky”
- Cyber insurance, testing & implementing the right tools
- Data loss prevention — “Get ready for the big punch”
- Boston Children’s hack attack
- Innovation at a community hospital — “We’re able to be as agile as possible.”
- Lifesaving mobile EKG reader
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
Podcast: Play in new window | Download (Duration: 13:55 — 12.7MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
You’re going to continue to be vulnerable because cyber theft is what they do 24/7, and they’re going to be ahead of us. And so you have to figure out what you’re going to do to mitigate your exposure.
If you don’t have a data loss prevention solution you need to get one, because once you install it and put it in place, you’ll be extremely surprised by all of the holes you have in your organization.
We want to be as innovative as possible in this organization so that we can show that things are actually sustainable; that they’re achievable in these areas and these communities.
Talk about using the payer, provider and the hospital, coupled with technology, in order to help foster a better outcome. That’s innovation in my eyes.
Gamble: Any time you’re talking about data and all this access, you have to talk about keeping it safe. I know you’ve spoken about things like cyber security, but just on a larger scale, can you just talk about data security — what is your strategy there and what are the challenges you’ve had to overcome?
Earle: Security is by far the biggest pie in the sky. As you know today, it’s one of the easiest way to getting access to data, which is a treasure trove to individuals that want to use it for nefarious reasons. But I want to put a disclaimer out there to say that no matter what you do with information, you still may be challenged. As a community hospital, I have X amount of employees to deal with security, and I work with our vendors. We do all these things. We do all the general things that everybody else does and we follow federal guidelines that help with cyber security.
But with all of that said, there is extremely high likelihood that you’re going to continue to be vulnerable because cyber theft is what they do 24/7, and they’re going to be ahead of us. And so you have to figure out what you’re going to do to mitigate your exposure from that perspective because it will happen if it hasn’t happened already.
One of the things I always say is you have to make sure you get cyber insurance. You get that and you work with your vendors and you do everything possible to help alleviate the major liability that will come as a result of cyber theft. That’s as much as you can do when it comes to getting ready for the big punch, because you know it’s coming. It’s one of those things.
As an organization we’ve worked on it. You do pen testing. You do phishing testing. You do all of these things. With social media, you try to figure out how many vector attacks will it take to bring your organization down, and also your ISP. Sadly so, it’s not that many. I’ll just put it to you like this. If places like Target or Chase that have hundreds and hundreds of security specialists that are experts at this and they have NOC and they have all of these technical barriers between the thieves and their data — if they still get hacked, guess what? What does that mean for little old St. Luke’s — what luck do we have? But the key here is you have to be prepared and you have to make sure you’re doing all the things possible to help mitigate that risk.
My goal is to mitigate the risk as much as possible by doing testing and by making sure that you have tools in place. One of the biggest tools that we have that I absolutely love is our data loss prevention solution. We keep ramping up the ability of that solution because that’s not going to protect you from the cyber hacks; what that will help protect you from is the incidental threats that you have when somebody loses a laptop or somebody inadvertently sends out PHI or PCI information in a thread of the email that may be embedded 10 threads previous that people don’t know.
These tools are extremely important in helping identify those potential threats to the organization and these are the things that I recommend. If you don’t have a data loss prevention solution you need to go and get one, because once you install it and put it in place, you’ll be extremely surprised by all of the holes you have in your organization that data is leaving. You work with your compliance people to make sure you right side it because anything else will be negligent. You do those things to help prevent the preventable scenarios, and then you just cross your fingers and you wait and you do other things to help delay the inevitable.
Gamble: It’s true, and you have to look at it that way. I’m sure once you start to really take a close look at everything, it has to be jarring at first how many holes there are, but you need to know that, and then you can take action from there.
Earle: I was at a recent cyber security conference — this wasn’t for healthcare, this was across the board, and oh my goodness, you get so discouraged as far as the battle against cyber security and these hackers. You realize there’s not much you can do. It’s just a matter of the technology — the maturation of technologies and how people work with these technologies. As an example, if we use NIS and all of these other standards to help secure us, the hackers are looking at those standards, and they understand what those standards are and they use it as a tool book. So what can you do? And that doesn’t even protect you. It protects you from what I could call leisure hackers.
Some of my colleagues in Boston were compromised when they had the major hacker group Anonymous go after them for what I would consider an ethical issue. What do you do for that? What do you do against those kind of organizations or a state-driven threat where countries come after organizations and look at soft spots in the infrastructure? Luckily it’s not as appealing right now, but we anticipate in the next few years that will change.
Gamble: I remember reading about what you talked about in Boston and that had to have been so scary. I’m sure any CIO who’s reading that was just shaking their heads.
Earle: You think about potential threats to organizations and the medical devices that are not 100 percent up to par when it comes to security — that can be a threat in itself. That’s scary. That’s actually very scary.
Gamble: Right. Now in addition to all the scary stuff, there are also so many great things happening. I wanted to talk a little bit about innovation, especially from your perspective. You’re not a giant system where you have all the resources in the world, but certainly you have some. I wanted to just talk about what you do to foster innovation and to hear out and then develop new ideas.
Earle: I think of our size as a blessing, actually. The reason why I say that is we’re able to be as agile as possible. Working with my CEO, we’ve decided that we want to be as innovative as possible in this organization so that we can show that things are actually sustainable; that they’re achievable in these areas and these communities.
We’ve put a few things in place that we found to be extremely beneficial. It’s part of a marketing campaign recently that we’re emphasizing a relationship with a mobile EKG reader that we currently use. I travel to different conferences, and I make sure that if I see something that makes sense, I align that with a respected clinical champion. When I came back from a show, I saw something where Dr. Topol —you talk about innovation, and he’s one of the more innovative people in the country if not the world—showed this device and I basically reached out to the manufacturer and decided to actually get some devices in the organization and worked with a cardiologist.
This is a great story, in my opinion. The day we gave the device to the cardiologist and showed him how to do it, he went back to his office and he in turn gave that device to one of his patients who was a prime candidate for the device. Again it’s a mobile EKG that attaches to any smartphone, whether it’s an iOS or Android or Windows phone.
Later on that night, the gentleman felt bad. His name is Frank — the story is on our website and it’s a phenomenal story. He basically felt that he wasn’t feeling good and he used the device. It gave him a reading and gave him the output, which is the EKG output. He in turn sent that output to the doctor, who’s name is Dr. Patel.
Dr. Patel in turn interpreted the EKG and was concerned. He had the person come to the office — because this is the first time he used the device — and actually confirming what was happening. He saw what was happening as a result of this EKG, and realized that the patient was actually in A-fib. As a result, instead of sending that patient to the ED, he sent the patient to the cardiac cath facility and shocked the patient so the heart rate can go back into normal arrhythmia.
That’s a huge part of innovation. It basically saved Frank’s life. And that’s amazing, because what we ended up doing by a result of just taking something that we saw, bringing it in, and making sure it was done, it showed how you can actually use the size of our organization to be agile enough to take action, and that prevented what would normally occur if somebody did not feel well and they didn’t know what to do. So they’d take a couple of days, and by the time the A-fib goes in and it’s has been for a few days, the doctor would now have to put that person on thinner and be admitted and all of these things.
We prevented his readmission and we prevented an admission or readmission, depending on how long Frank was here before, and then sent that patient back home that very day after the patient was shocked. He actually ended up going back to work the same day when he went back home. That’s an amazing example of using technology to help foster a better outcome for our patients’ lives. That’s really a huge success from that perspective.
By the way, with those devices that we purchased, we actually worked with one of our payers and they paid for those devices. They gave us a small purchase of these devices, and we were able to turn that around. Talk about using the payer, provider and the hospital, coupled with technology, in order to help foster a better outcome. That’s innovation in my eyes, and we’re doing this more and more and more. We’re very excited to use technology here. Luckily, I have an exec team and a board that helps foster that and pushes it forward.
Gamble: Yeah, absolutely.
Share Your Thoughts
You must be logged in to post a comment.