To say that the HITECH Act changed the landscape is an understatement. But one of the most critical impacts it had — which is somewhat overlooked — was on advocacy. Or perhaps, the lack of advocacy among healthcare IT leaders, says Theresa Meadows, SVP and CIO at Cook Children’s Health Care. When the Meaningful Use requirements were handed down with minimal, if any, input from those in the trenches, “we learned our lesson about not being involved.”
A decade later, it’s a completely different world, thanks to people like Meadows, who consistently carve out time for advocacy, whether it’s educating Congress and federal administrators about the value of health IT, or participating in task forces and working groups. It’s that passion that earned her the 2019 Federal Public Policy Award for CIO Leadership from CHIME.
Recently, healthsystemCIO spoke with Meadows about the key challenges leaders face — particularly from a cybersecurity standpoint; the pivotal role CHIME has played in giving leaders a voice in Washington; and why she believes the industry is moving in the right direction when it comes to sharing knowledge.
Gamble: Hi Theresa, thanks so much for taking some time to speak. First off, congratulations on receiving the Federal Public Policy Award. I’m sure it’s a tremendous honor.
Meadows: Thank you. It was a really nice surprise; I wasn’t expecting it at all. To me, policy work is a labor of love. Everything we do in policy is above and beyond what we do in our day jobs, so to be recognized means a lot.
Gamble: And you’ve been involved in multiple initiatives, including the HHS Healthcare Cybersecurity Task Force, and the Health Sector Council Cybersecurity Working Groups. Can you talk about experiences you’ve had, and where things stand with those initiatives?
Meadows: The Cybersecurity Task Force was a one-year commitment where we were charged with providing recommendations around improving cybersecurity. The Joint Cybersecurity Working Group has taken those recommendations, which were published in a report last year, and created action items to help protect data.
At last count, we had 18 groups working on various initiatives. One is specifically focused on improving medical device security — not just from a manufacturing standpoint, but also from a hospital end-user standpoint. We’re working with the FDA to make those improvements there.
That’s the great thing about these working groups; typically we have representation not just from hospitals, but manufacturers, vendors, and the federal government. Through this collaboration, we’re able to produce recommendations, guidelines, and practices that can be implemented. It goes beyond high-level recommendations to put actual plans into place, and it’s all due to efforts of people like Erik Decker, who has done so much in this space.
It’s a great opportunity make a contribution and help change the industry as a whole.
Gamble: You mentioned medical devices, which is a really interesting area. Do you think progress has been made as far as providers and manufacturers working together to increase security?
Meadows: I definitely think progress is being made. It is such a difficult issue to tackle. The majority of work is focused on the future; how to secure devices going forward and build a roadmap to ensure the products that are being developed won’t have the same issues we have today, and that there’s a plan in place to address cybersecurity. The biggest challenge — one that will be ongoing — is with securing legacy devices. How can we do that? Are there opportunities to create software or patches that can be applied to older devices, or is there a more creative thing we can do to help organizations who don’t have the money to buy the latest and greatest tools? In some cases, it’s going to take 10 to 20 years to get this equipment out of the environment.
Looking at my own organization, we have around 15,000 medical devices; we can’t even think about asking for funding to replace all of those. And so that’s where we need to apply our brainpower and put our heads together to come up with strategies to protect these devices until we can get them out of our environments.
Gamble: Another issue that comes up a lot is the lack of cybersecurity talent across the industry. What are your thoughts on that?
Meadows: There’s a lot being done to address the gap, but at the same time, we’re still years away from being able to fill all the security positions out there. That’s why I believe there’s a prime opportunity to create partnerships and pool resources to be able to provide better security. If you think about it, a small physician practice can’t afford to have a dedicated security person — or even understand the need for it.
We need to find mechanisms to work together for the benefit of the industry. And that’s a new concept. We may not be able to partner on an EHR implementation, but maybe we can partner from a security standpoint and help each other. Because the reality is there isn’t an end in sight as far as this shortage, and we’re completing with other industries with deeper pockets.
Fortunately, there are organizations who are pushing the envelope when it comes to workforce development. The University of Texas, for example, recently created an educational program and track for cybersecurity professionals. It’s the first of its kind focused specifically around healthcare security.
So clearly there are things on the horizon, but there’s still a lot of work to be done.
Gamble: With educational programs like that one, and the CISO Boot Camp offered by CHIME and AEHIS, is the idea to educate not just CISOs, but other C-suite leaders?
Meadows: It is. Initially we’ll see a lot of CISOs attending Boot Camp, but the idea is to train future CISOs. If being a CISO is a career goal, what skills are needed to get there? So I think we’ll see people in director and analyst roles, and others who leaders see as having the potential to take on a larger role, but need to develop their skills further.
What leaders want in this role is someone who is well-rounded. It’s great to have security and technical expertise, but a lot of it is managing relationships, educating executives, and balancing the need for security with the need for usability. The CISO role is less about technical expertise, and more about how you can interact with others and convince them about what needs to be done to protect an organization.
Gamble: It seems like there are a lot of parallels with the CIO role and how it has evolved.
Meadows: Absolutely. I think there’s a lot of blocking and tackling that CIOs, CTOs, and CISOs can learn in terms of collaboration, communication, and partnership.
Gamble: Another topic that’s come up recently in cybersecurity discussions is supply chain. What are you seeing in this area?
Meadows: Interestingly, just last month the Healthcare and Public Health Sector Coordinating Council released recommendations on supply chain cybersecurity risk management. It walks some actionable guidelines and provides tools that small and mid-sized organizations can use to assess different types of risk.
That was one of the recommendations from the Task Force, because this can affect our ability to receive medication to be able to complete the supply chain initiative. This document has a lot of practical guidelines on how to protect the supply chain.
Gamble: Switching gears a bit, you’ve been with Cook Children’s for about nine years. When you look at how far the organization has come, what goes through your head?
Meadows: We’ve had a lot of change here; and honestly, I think that’s why I’ve stayed. It’s a stimulating environment where we’re always doing new and exciting things. That’s what I’ve always looked for in career — to be constantly challenged, and to be able to help others through those challenges.
Gamble: And of course, you’re able to satisfy that with your policy work as well. What made you become interested in that arena?
Meadows: I have to say, I never really understand the connection between healthcare and policy until Meaningful Use. That’s what helped me to turn the corner and get more involved. Some of these initiatives sound good on paper, but in practical terms, they’re hard to implement, and they’re hard for clinicians to do consistently over a long period of time.
I wanted to become more engaged and learn more about public policy — how can people get involved? How can our voices be heard? That’s where CHIME has played a big role. Before CHIME was involved in advocacy, it was very difficult for a single CIO or single organization to make an impact on anything from a legislative perspective, because they didn’t have enough of a voice.
The work we do in public policy is so important, because we can drive substantial change simply through the amount of people who are engaged, and the amount of input we receive. When Meaningful Use hit, we learned our lesson about not being involved. Now, we have a very good partnership with government, because we’re seen as a credible resource; not just a group that complains. That’s a change that’s happened in the past five years, and honestly, it’s something we have to work hard to maintain, because there is no such legislation that comes out. Almost everything has a policy component, and so we have to choose what’s most important. That’s the hard part.
Gamble: Sure. The last thing I wanted to talk about is collaboration. When it comes to sharing best practices around cybersecurity, do you think the industry is headed in the right direction? Is there more willingness to share?
Meadows: I do think there is more willingness, but I think we still have some barriers because of the current regulations. People are still nervous to share publicly if they have an incident, for fear of retribution. But I also think information security sharing organizations like H-ISAC are opening the door for people to have discussions.
I also think there’s more sharing of information between healthcare and the federal government, mostly because of the joint working groups. There’s much more transparency now about things the government sees as potential issues; as a result, we’re able to be more proactive versus reactive when those issues arise.
There really has been a lot of improvement. The fear is still out there, but the more organizations are willing to participate, the better we’ll be able to alleviate those fears and resolve issues.
Gamble: The fear is understandable, but it seems like things are moving in the right direction.
Meadows: They are. It’s going to continue to take time and efforts, but we’re prepared to keep plugging along for as long as we need to.