When Patty Lavely stepped into the CIO role at Gwinnett two years ago, one of her top priorities was to build a strong relationship with the CNO. It was something she had admittedly struggled with in the past, but one of the many lessons she learned during her time in consulting was that relationship management is an essential skill for today’s CIOs. In this interview, she shares more takeaways from her time in consulting, including how to build trust, and how to avoid the common trop of hiding behind bureaucracy. Lavely also discusses leading a major EHR selection process, how the organization revamped the security process by reassigning responsibilities, and the “daily challenge” CIOs face with prioritization.
- Revamping security
- Cybersecurity talent — “We found it very difficult to recruit those skills.”
- Prioritizing by communicating
- Information Management Planning Council
- Executive support — “Our leadership team is willing to ask questions.”
- Starting a consulting company
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
Our pay scale for that type of role isn’t usually in line with the IBMs of the world and the companies that focus just on security and technology, so I think that’ll continue to be a challenge for us.
I try to spread my time equally and really understand what their priorities are, because their priorities and the organizational strategic priorities should drive mine.
Our leadership team is willing to participate and to have the discussions and to ask questions if they don’t know, and they’re willing to allow me to ask questions of them and to learn more about their organization so that I can better prioritize on their behalf.
That was when I thought, this is when this group is really working — when I’m not the one driving the agenda. So I left that meeting feeling very hopeful that our governance is really working. It’s not me rubberstamping everything.
After talking to a lot of people and consulting with some of my friends who were incredibly helpful, I decided to develop a company myself around this idea that CIOs are very busy, and if they had more time in the day, what would they be doing with it? That’s what I could do for them.
Gamble: I want to talk about security. It’s something that’s always on everyone’s minds and it’s one of the things that keeps CIOs up at night — anyone can understand why. So I wanted to talk about your strategy there.
Lavely: I’ve been here two years. We are in the process of enhancing our security program — sort of rewriting it to some degree. When I got here, a new compliance officer started at the same time or really close to when I did, so we spent the first year of both of our time here really looking at what was here and coming together and sort of redistributing responsibilities. And so now where it used to all fall to information systems, it’s now a joint responsibility between compliance and information systems. Really how we sort of draw a line in the sand is that compliance is responsible for audits and policy, and we are responsible for implementing the technologies and enforcing the policy with technology. Between the two of us, we both sit on the incident response team — the two executives or myself and the compliance officer, and we rewrote the protocol and the policy for incident response and communication, all of that.
I think we have a very good process and program as far as that goes, so now we’re taking a look at all of our technology and our overall risk assessment schedules. We recently contracted with a new cyber security vendor who we’re going to outsource all of our risk assessments to, and then use them to supplement our skills. Because one of our challenges with security is having the right skills in-house that really understand this idea of cyber security. We found it very difficult to recruit those skills. So as of right now, we’re going to outsource that. We’re going to continue to try to recruit them, but I think that’s going to continue to get more and more challenging.
Gamble: I can imagine, because it seems like you’re competing with every other industry for that kind of expertise.
Lavely: We are. I was recently at a presentation. One of the speakers was a security engineer with IBM, and he was talking about the challenges with recruiting the right skills for IBM — he had like 50 positions he needed to fill over the next year. And I thought, if this guy can’t recruit, how am I going to fill my one little security engineer position?
So it is really a challenge. We’re a not-for-profit community health system. Our pay scales for that type of role isn’t usually in line with the IBMs of the world and the companies that focus just on security and technology, so I think that’ll continue to be a challenge for us. We’re in the process too of trying to grow our own. We’re getting a couple of our network guys training and trying to get them sort of engaged with the community of security experts.
Gamble: That’s going to be such a huge role going forward. As everything starts to become so much more mobile, I think that’s going to be a whole new job opportunity for people.
Lavely: I think so. It’s a whole new field emerging and I’m seeing more and more at our local universities. I’m involved with a technical college here in Gwinnett County and they are just starting a cyber security degree program, so of course we’re trying to get involved. We’re trying to influence the curriculum and make sure we get access to some of those interns and graduates. So yes, I think it’s really an opportunity. And it’s very interesting. I don’t have a whole lot of time to spend on it. I wish I had more because it is incredibly interesting work.
Gamble: When you talk about how you do spend your time, that’s kind of a good segue into one of the other challenges I wanted to talk about, which is prioritization and how that’s you deal with that having so many things that seem like they’re all on the front burner.
Lavely: You know, it’s a daily challenge. It’s something I really have to look at daily almost. But I think at the high, high levels, what I try to do — and this takes time — is to be current with my peers so that I understand what their priorities are. At different points in time, I may be more current with nursing versus radiology or the COO versus the CFO, but I try to spread my time equally when possible and just really understand what their priorities are, because their priorities and the organizational strategic priorities should drive mine. If I’m not leaving my office, I start creating my own priorities and I lose sight of theirs. So I try to remember that.
And then you come back to like security where nursing and operations and finance — they’re not thinking about that; I have to think about that. Compliance thinks about that. So that’s one of those priorities that is really driven by this office, and I have to be sure to keep that in the forefront as well. And then if you just think about the infrastructure and capacity management and all the things that go along with that and system availability, that’s for me to prioritize and to help educate the operational leaders of the organization on those things so they can help me prioritize it all along with their things.
We do have governance here, we call it the Information Management Planning Council, and it is made up primarily of senior executives. When I started, that group was in place; it was meeting bimonthly and it really was sort of an IS reporting project status to this body, and then once a year they’d talk about capital budget priorities. It was not a very interactive group, and so we’re slowly but surely changing that. And actually, I don’t do project updates to them anymore, because we do those in other meetings, and if they’re the executive sponsor, they’re getting an update already. So we decided to stop doing that and only really talk about those projects that were being proposed, or if we do want to report back at the end of a project, whether or not it met its goals for implementation. But we really are not doing regular project updates, and we are meeting weekly, so they, by default, have become the steering committee for this enterprise system selection. We’re trying to really get them more engaged and talk about where we should be spending our resources. Now that we’re considering this enterprise project, we need to reconsider all these capital requests for next year and really think about this in terms of, do we want the organization spending time over here when we have this more important project?
It’s been really good. One of the things I love about this job is our leadership team is so willing to participate and to have the discussions and to ask questions if they don’t know, and they’re also willing to allow me to ask questions of them and to learn more about their organization so that I can better prioritize on their behalf. So it’s been a really good group to work with.
Gamble: It makes sense that the more everybody knows about each other, the less it becomes just people having to sell their own priorities and the more it becomes about real collaborative discussions.
Lavely: Interestingly, we just had a meeting last week, and the first two items on our agenda where unplanned projects that were brought up for various reasons. And actually, my name was on both of them. I planned to bring them forward myself, although I wasn’t necessarily the one that brought them up. I didn’t actually say word about either one of them. The groups discussed them, they discussed the pros and the cons, they discussed the implementation resource requirements, the capital and expense budget requirements, and I just sort of sat back. At the end of the discussion, I made a recommendation as to how to move forward that I had planned to make, but that was when I thought, this is when this group is really working — when I’m not the one driving the agenda. So I left that meeting feeling very hopeful that our governance is really working. It’s not me rubberstamping everything.
Gamble: I would think that definitely would be validating.
Lavely: It was. It really was.
Gamble: Okay, so you said you’ve been there about two years now?
Lavely: I have.
Gamble: Talking about your career path, you had CIO roles previously at Putney Memorial Hospital and Memorial Health University Medical Center, and then went into consulting. So I want to talk first about why you decided to go into consulting, and then what your thoughts were going into that from the CIO role. I’m sure that’s an interesting perspective?
Lavely: It was and it was actually a great experience. I started a consulting company because I had left the position at Memorial Health in Savannah and my daughter was in high school in Savannah, and I didn’t want to move. And there are only two healthcare CIO roles in Savannah — I had one of them, and the other one wasn’t open. And so I knew when I decided to leave Memorial that I was going to have to figure out what to do. I had in mind that I would do consulting for a while, while my daughter was in high school.
I spent a lot of time sort of looking at the field — do I want to go work for someone, do I want to stay independent, do I just want to be by myself? What I want to do and what kind of consulting? After talking to a lot of people and consulting with some of my consultant friends who were incredibly helpful, I decided to develop a company myself around this idea that CIOs are very busy, and if they had more time in the day, what would they be doing with it? That’s what I could do for them.
So that was the idea of what I went out and started marketing. A friend of mine who is a nurse — a high-level senior nurse informatics type person — who had been out in the industry for a little bit and was looking to get back. So I sort of had her in my back pocket. She wasn’t in any rush, but I thought if I come up with an engagement and I need some clinical expertise for it, I have this friend who will work with me. And so, I did a couple of small engagements and I did some interim leadership of technology at one particular place. And then I did an interim CIO position for a healthcare system in New Jersey, which required full-time travel, and up until then I had really just been traveling part-time. I actually brought my friend in, the nurse informaticist, and we did a lot of great work there and it was a lot of fun.
One of the things I discovered in that engagement is that I don’t want to travel full-time. I never really had done it, so I wasn’t really sure if I’d like it or not, but after doing it for a year and a half, that’s not what I want for myself. However, it’s easy enough, and at that point, I could have changed my role and gone back to part-time; that engagement was going to end. By that time, I had moved back to the Metro Atlanta area, and then received a call from Gwinnett, and long story short, I ended up taking this position.