When Brian Sterud meets with his staff, he often asks two questions: “What can we do to make this more productive,” and “What did we not do well enough?” Not just because continuous improvement is a key priority for the organization, but because it provides a platform for construction criticism, something he feels is crucial. In this interview, Sterud talks about the momentous decision his team is about to embark upon, why switching from one EHR system to another is almost more difficult than going from paper to electronic, the “sense of urgency” across the industry to beef up security, and the “holy grail” when it comes to portal adoption. He also talks about the enormous impact CHIME Boot Camp has had on his professional growth, and the characteristics CIOs need to have going forward.
- The “Holy Grail” for portals
- Security & the industry-wide “Sense of urgency”
- External penetration tests & internal threat tests
- Security committee with cross-section representation
- “We have the platform to have the discussions that we need to have.”
- Having a CEO who “gets it.”
- MU 2 attestation with providers
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
The next step or the Holy Grail would be the more local providers we could sign up to exchange with our portal, the better off our community is, because they’d be able to view all their data in that one patient portal.
It’s really created a sense of urgency in our industry and caused a lot more focus on security, which was bound to happen if you consider the fact that we’re really trying to make up for 20 or 30 years within a four- to five-year span. It was ripe for security issues.
They’re interested now. They’ve seen enough articles that it’s a conversation they’re interested in having and they’re engaged, maybe more so than they would have been a couple of years ago.
The best practice would be to have a full-time security officer that reported either directly to the board or maybe even directly to the CEO in some fashion so that they don’t have the reporting relationship up through IT. There’s just too much risk in having it done that way.
We don’t have to make that argument. He understands it, he gets it, and he knows how important it is. And it’s not just him. Everyone in senior management understands the value of IT, and so it’s nice that you don’t have to make that case.
Gamble: As far as the portal, you talked about having a good success rate. It does seem like, from what we’ve hear, that that’s a good percentage. I imagine that that’s something you have to keep building toward. Do you have plans for mobile access to the portal or anything like that?
Sterud: That’s coming with the next upgrade for our product. It wasn’t available at this point, so that will be a nice added feature. There are some other added features as far as user verification and making sure that it’s the right person. Those are some added functionalities that will be coming in our next version. Another thing we’re doing is NextGen in our clinics. We’re just bringing live now the same portal for those clinics. That will allow our patients, our consumers, and our community to be able to sign on and see visits from both the clinics and our hospital in one pane of glass. Really the next step or the Holy Grail would be the more local providers we could sign up to exchange with our portal, the better off our community is, because they’d be able to view all their data in that one patient portal. So that’s be something that we’re going to work on with local providers in the next year or two.
Gamble: One of the big components of all this is security and trying to keep all this information safe which is obviously no easy task. Can you just talk a little bit about the strategy your team is using to try to protect against the breaches that we seem to see all the time?
Sterud: That’s a huge topic this year. There’s been a lot of scary statistics. I think we had barely started the year and there was already four times as many breaches as there were in 2014. That was early this year. So I think the fact that some of the studies out there that show your healthcare data is 10 times more valuable on the black market than your financial data or your credit card data—all those things are quite scary. And then you have the directed attacks — the spear phishing type of things that are pretty scary and coming from a couple of different countries in particular.
Another article I read said that on average, you’re compromised for about 200 days before you actually know it. And so I think the ability for that attacker to be patient to get what they really want or what they’re after is a little concerning too, knowing that you could be compromised for that long before you even know it happened.
All that being said, I think it’s really created a sense of urgency in our industry and caused a lot more focus on security, which was bound to happen if you consider the fact that we’re really trying to make up for 20 or 30 years within a four- to five-year span. It was ripe for security issues because that speed at which at we were making this transition from paper to electronic really set us up for this type of scenario.
That said, we do a lot of things, just like anybody else. We do external pen tests. We do internal threat test, which, as most know, are even more interesting at times. We’re very diligent about our risk assessments that we follow, and we work with a consultant group for that. We address that on a monthly basis, tracking where we’re going, what are our vulnerabilities, and prioritizing those. It’s really been, I think, scary for everyone concerned, but also somewhat refreshing to see the health care industry put that type of emphasis on it. I spent about 7-10 years in the financial services industry and that was 10 or 15 years ago, and we’re doing the things that I was doing in that financial services firm 10 or 15 years ago.
It’s refreshing to see us get to the point where we’re maybe placing the appropriate resources and attention toward security where I don’t know that we always were doing that. So I think that is sort of a positive way to look at it. There’s just so much more focus on security. At our edge, we’ve done a lot more things. There are a lot of advanced features that firewall-type vendors are able to do now, and also a lot of external services that you can employ.
I think we’ve taken a big leap forward as an industry, and here at Faith Regional, we’ve done a really nice job to enhance what we’re doing including things like standing up the policies you need to do, making sure you have a security committee, and making sure our board is informed. I recently provided our security reports to our board, and it’s interesting to have the conversation, because they’re interested now. They’ve seen enough articles that it’s a conversation they’re interested in having and they’re engaged, maybe more so than they would have been a couple of years ago; there may have been a lot of blank stares in the room. Our board’s attention is focused when we’re talking about IT security.
Gamble: Right, it’s nice to see. You’ve talked about a committee. Do you have different representation on that? Who’s primarily part of that committee?
Sterud: It’s something I’ve stood up since I’ve been here. It’s still, I would say, in its infancy, but we have a cross-section of stakeholders that have a vested interest. So we have representatives from my team — it’s probably dominated by that to some extent, but also representation from medical records, which is obviously important, and representation from HR, as a lot of the things that we work on are policies, procedures, and workflows that touch HR. Our physical security team is involved, and our compliance team is involved for obvious reasons as far as where our risks are and that kind of thing. That’s a subcommittee of our IT steering committee, which has significant senior management membership on that committee, as well as other executive directors. In fact, I think all of our VPs and up are on that IT steering committee. So I think we definitely have the platform to have the discussions that we need to have.
Gamble: Right. You don’t necessarily have a security officer, right?
Sterud: I serve as the security officer. That’s something that, given our size, is a little bit of a struggle. Obviously, best practice would be to have that person be dedicated, and that’s something that we’ll explore. It’s just really hard. Hopefully, some listeners that are similar to our type of environment know that sometimes you have to do things like you have your CIO be your security officer because you don’t have the size to do it differently.
Gamble: I’m sure your organization isn’t alone on that. I can only imagine the challenge because it’s something where, I think, in the past, maybe it was assumed that it would fall under IT, but now we’ve seen things change. IT really has become much less about just technology and more about part of that strategic vision.
Sterud: Certainly. I think the best practice, if we could get there, would be to have a full-time security officer that reported either directly to the board or maybe even directly to the CEO in some fashion so that they don’t have the reporting relationship up through IT. There’s just too much risk in having it done that way. So that would be what I’d love to see. It’s just hard for it to happen.
Gamble: Has the IT steering committee been around for as long as you’ve been part of the organization?
Sterud: It has. That structure was there when I arrived. I think it’s very well-functioning and I was pleased to see that when I got here.
Gamble: Right. I’m sure it’s good to see that it’s not just IT about technology, but really being more part of the organization strategy.
Sterud: Our CEO has some IT experience in his background. Actually, he has an advanced degree along with others, and so we don’t have to make that argument. He understands it, he gets it, and he knows how important it is. And it’s not just him. Everyone in senior management understands the value of IT, and so it’s nice that you don’t have to make that case.
I’ve been in that situation before where you have to be a little more convincing. Typically, we don’t have to do that. On the flip side, what’s nice and what keeps me honest is the level of engagement that our organization does have relative to IT, and the background and the knowledge that we have. They keep me honest, too. They’re engaged and can make sure that we’re doing the right things, too.
Gamble: You said before you’re looking at early next year to make a selection or start that process, but are there any other kind of big projects you have on your plate? I know a lot of it is affected by that, but just anything else really big that you’re looking at?
Sterud: I don’t know that we’re that different than anyone else as far as we’re making a push to finish the year out relative to Meaningful Use. We’re fine on the hospital side. There was recently an update on the Meaningful Use regulation just that it was passed along, but no final change on that yet. But even if we were still required to do a year report on stage 2, we would be just fine, so that’s not a worry to us at all in the hospital side. [Editor’s Note: This interview was held before CMS announced modifications to Meaningful Use Stage 2, including the adoption of a 90-day reporting period.]
On the provider side, as you know, each provider attests differently. So we have different cohort groups when our providers came to our organization. When I got here, we were in the middle of our NextGen deployment, so there were some that were going live and some that hadn’t yet. So we have a couple of different cohort groups of where they are, whether it’s stage 1 or stage 2, etc., and so we’re watching closely. If the Stage 2 rule doesn’t go final and allow for the 90-day period in 2015, we would have some challenges. But we believe it’s been looking positively that that’s going to happen, and so that’s the biggest project we’re working on right now.
Going into the next year, we’ve been working pretty diligently on a lot of analytics opportunities and trying to make sure we’re doing the right things and being able to collect the data properly. That sort of reverses its way back into EHR optimization because if we’re looking for certain reports or analytics, but that data element isn’t captured properly, we’ve had to go backwards and revise certain nursing assessments or what have you in our EHR to then be able to pull and have the right reporting analytics all the way downstream.
So we’ve been working on a lot of those kinds of things. But you’re right, I think the biggest thing is going to be making sure we understand where we’re going from a long-term EMR/EHR standpoint.