It’s not exactly common for a healthcare IT executive to hold the dual role of CIO and CISO, particularly at large organization. But when extenuating circumstances dictate that it must be done, you can either run for the hills, or see it as an opportunity. Steven Goriah chose the latter; and in fact, has found a way to leverage his past experience as a CIO to drive security initiatives forward at WMCHealth, a 10-hospital system based in upstate New York. Because he understands “the politics of IT,” Goriah has helped leadership across the organization to “see the value in having a robust security program — and the risks of not having one.”
Recently, Goriah spoke with healthsystemCIO about his strategic objectives at WMCHealth, including the long-term strategy to create a single source of truth across the organization, and the constant effort it is to secure data. He also discusses his approach to change management, why strong relationships with other leaders is critical, and the need to be willing to push the envelope.
- About WMCHealth
- Major Cerner rollout
- “We’re trying to standardize processes and workflow across the enterprise.”
- Clinician engagement
- CHIO Marc Chasin’s role in “bringing physicians and nurses into the fold.”
- Working w/ consultants to ensure at-the-elbow support
- Dual role of CIO & CISO – “I understand the politics of IT.”
- HITRUST certification process with Intraprise Health
- “Having the right partner is absolutely key.”
We’re taking a best practices approach to clinical care standardization. We want to eliminate variation in care as much as we can.
The knowledge, clinical expertise, and gravitas he brings to the position has enabled us to bring physicians and nurses into the fold, and work as a team to build a robust, well-designed system.
That’s a major focus of ours; not just to build and configure a system, but to offer training and at-the-elbow support. We need to make sure we have people who understand the system from a technical standpoint, but also understand the workflows.
I understand the politics of IT. I understand the leadership and governance challenges. I’m able to drive security forward by allowing the organization to see the value in having a robust, fully-engaged security program — and the risks of not having one.
We didn’t know the amount of work that would be required — not that it would have stopped us. We still would have done it, but it was eye-opening to see how much was involved.
Gamble: Hi Steven, thank you so much for taking the time to speak with us. To start off, can you give an overview of Westchester Medical Center, which is part of WMC Health?
Absolutely, thank you for the opportunity. We’re doing some pretty exciting things here. WMC consists of 10 hospitals, including the main campus—Westchester Medical Center, Maria Fareri Children’s Hospital, and a behavioral health center, all located in our Valhalla, N.Y. campus. We also have MidHudson Regional Hospital in Poughkeepsie, and the two HealthAlliance hospitals in Kingston. We’re working on a major conversion to bring them together as one hospital over the next few years. In addition to that, we’re also the majority owner in a venture with Bon Secours Mercy Health, through which we operate three hospitals and several physician practices in Rockland County. We also have Advanced Physician Services, which includes around 65 practices throughout the lower Hudson Valley area.
Goriah: So it’s a really interesting time. We’re trying to become more of a system; with that, we’re going through a major initiative to rollout Cerner in our main campus, our three hospitals here, our main hospital in Poughkeepsie, and all of our physician practices. We’re in the middle of that implementation now, so we’re quite busy.
Gamble: What’s the timeline for the implementation?
Goriah: We’re looking at the second quarter of 2020.
Gamble: Talk about the rollout strategy — how is the organization approaching it?
Goriah: We considered many different aspects. In the end, we decided to go with a Big-Bang strategy and take the physician practices, the main campus, and the Poughkeepsie campus live all at once. We looked at multiple options, but we all agree this was the best course.
It’s interesting, we’re moving from Siemens Invision, which had been here for years. It’s a significant lift, as we probably have one of the most customized Invision applications in the country. As someone once said, if you’ve seen one Invision implementation, you’ve seen one Invision implementation.
Gamble: I can imagine the challenges that brings from an IT standpoint.
Goriah: It does. We’re trying to standardize processes and workflow across the enterprise, which can be difficult. The system was built very nicely, but it’s extremely customized. And so, as we deploy Cerner, we’re taking a best practices approach to clinical care standardization. We want to eliminate variation in care as much as we can. But it really is exciting; we’re working with leadership to drive change across the organization, with the EMR as a catalyst.
Gamble: I’m sure that’s not easy. How are you working to create standardized processes and workflows?
Goriah: It’s a complete collaboration; not just with the consultant or EMR vendor. We’re engaging the frontline staff — clinicians, nursing leaders, and physician leaders. All of us marching to the same beat, making sure the various areas are fully aware of why and how we’re doing things. Because the worst thing you can do is to build a system that no one is happy with, and that no one wants to use.
The engagement has been the biggest lift, in terms of getting clinicians to see the value. But I will say, they’ve been fantastic so far; we have a great group. Our physicians, our nursing leaders, and our CMO have all been engaged in the process. In addition, our CHIO, Dr. Marc Chasin, is really helping to lead that integration and collaboration with the clinicians. He’s done it before. The knowledge, clinical expertise, and gravitas he brings to the position has enabled us to bring physicians and nurses into the fold, and work as a team to build a robust, well-designed system. And not just a robust system, but one that enables clinicians to provide the best possible care for our patients.
We’re probably one of the last organizations to go through this. But one advantage is that we’re able to learn from everyone else; to take the best of the best, and build the best system we can.
Gamble: You might be surprised; I think a lot of organizations are going through this.
Goriah: That’s true. I can think of one right here in New York that still has multiple systems, and folks are really pushing for an integrated platform. At WMC, we’re at a point where we really believe it’s the right time to move to one system.
Gamble: In terms of planning for the go-live, can you talk about that process, and what went into it?
Goriah: Absolutely. We’ve collaborated with various consulting firms; e4 has been a good partner for us. We have a robust plan for bringing in one-on-one support for our clinicians for a defined period of time to make sure they have the help they need. But it can’t just be from anyone; there are experts that specialize in providing go-live support. And so we did some research and found a firm that really knows Cerner and its workflows, and has been through implementations. That has been critical in helping to ease the anxiety of our users as they start using the system.
That’s a major focus of ours; not just to build and configure a system, but to offer training and at-the-elbow support. We need to make sure we have people who understand the system from a technical standpoint, but also understand the workflows and can work with clinicians to make sure it’s being used optimally.
Because at the go-live, there’s a tremendous opportunity to teach them the right way of using the system. If they’re not using it correctly in the beginning, it’s that much harder to go back and change it.
Gamble: I’m sure. You mentioned earlier a partnership WMC has with Bon Secours. What does that entail?
Goriah: We have majority ownership of Bon Secours Charity Health System, which includes three hospitals: Good Samaritan Hospital, Bon Secours Community Hospital, and St. Anthony Community Hospital. WMC manages the day-to-day operations, and Bon Secours Mercy Health hosts our Epic environment and offers support. And they have leadership that reports back to us. It’s a different spin on outsourcing agreements. They’ve been great to work with.
Gamble: And those hospitals are using Epic?
Goriah: Yes; Epic is deployed across Bon Secours Mercy Health. To give some background on our environment, our hospitals here in Valhalla are using Invision. The physician practices are using ECW; our Poughkeepsie hospital has Meditech; our Kingston hospitals are on Paragon; and our charity hospitals in Rockland County have Epic. It’s a compilation of various different applications, which makes it really difficult to obtain a single source of truth.
We’re considering a few options, one of which is to set up a private HIE, to make sure the technology is enabling clinicians to provide the best care to our patients.
Gamble: Let’s switch gears a bit and talk about your role as CIO and CISO. I don’t have to tell you that’s quite unique. How did that come about, and how are you able to manage multiple responsibilities?
Goriah: There have been some changes at Westchester Medical Center, which is why I have the dual role. I’ve had the CISO role for some time, as we’ve gone through this journey from being a system that did HIPAA audits to being a HITRUST certified. During that two-year span, we’ve really examined our processes to make sure they’re standardized and structured. We started with the NIST Common Security Framework, but after looking at different options, we decided it would benefit us as an organization to go through the HITRUST process. And so we partnered with Intraprise Health (formerly BluePrint Healthcare) to do an assessment, during which we were able to engage with our clinicians and work together to earn that HITRUST certification.
As far as having the two roles, because I was a CIO in the past, I understand the politics of IT. I understand the leadership and governance challenges. I’m able to drive security forward by allowing the organization to see the value in having a robust, fully-engaged security program — and the risks of not having one. Being the CIO allows me to do that.
Gamble: Let’s get into the HITRUST journey a bit more. What did that entail from a leadership standpoint?
Goriah: As we decided to progress down that road, we didn’t realize the amount of effort that was required — not just from IT, but from every aspect of the organization. It was truly an organization-wide initiative to become HITRUST certified. Whereas a typical security program is more focused around IT, and others can be engaged as needed, HITRUST is so encompassing; it covers NIST, ISO 27001, and all of the other frameworks. With HITRUST, we needed everyone marching together.
And so our Board issued an edict after hearing about some security incidents and noticing a heightened sense of anxiety, and we decided that HITRUST was the appropriate step to take. That was two years ago. We chose to partner with Intraprise Health; I was familiar with the organization, having worked with them during a previous CIO engagement. It turned out to be the right decision; they were true partners in guiding us and helping us understand what HITRUST is, and what the journey would look like.
Again, we didn’t know the amount of work that would be required — not that it would have stopped us. We still would have done it, but it was eye-opening to see how much was involved. It’s not just showing you have certain things, but providing evidence that you have the controls in place. It was a significant effort; I don’t think we would have been successful without having Intraprise in our corner. Having the right partner is absolutely key in any HITRUST program.