It goes without saying that the Covid-19 pandemic affected every major industry. Some — like restaurants and airlines — suffered, while others (like home gyms and tent vendors) thrived. For healthcare IT, however, it proved to be the ultimate litmus test.
And while some organizations passed with flying colors, for many, the need to rapidly shift to virtual health and remote work uncovered a significant gap.
“We didn’t realize the depth of our technical debt,” said Saad Chaudhry, who recently took on the role of CIO at Luminis Health. “There were basic things missing,” most notably the framework needed to support digital transformation.
As leaders reflect on 2020 and turn their focus to the New Year, it has become clear how important it is to have solid strategies in place to maintain business continuity, enable digital health, and protect data. During a recent webinar, Chaudhry addressed these topics, along with Tony Ambrozie (Chief Digital Officer, Baptist Health South Florida), Aaron Miri (CIO, Dell Medical School and UT Health Austin) and Ryan Witt (Managing Director of Healthcare, Proofpoint).
The discussion centered around the key takeaways from 2020, a year that has been “one for the books,” according to Chaudhry. And although there were many lessons learned, below are some that particularly stood out.
- Contingency planning. During a year fraught with challenges, Chaudhry quickly realized that although “a lot of lip service” is paid to contingency planning, it’s often just that. “Until something absolutely breaks, we’re not looking at maintenance.”
- Framework for virtual health. The same held true with telehealth strategies, which ramped up quickly, and for rural organizations, become a lifeline, both for patients and providers. The problem, according to Chaudhry, is “there wasn’t a lot of thought in how this would work” in the event of a major shift. “These things didn’t require a lot of innovation, and no invention whatsoever. They already existed.” And yet, “we didn’t have the ability to activate them from soup to nuts when the time came.”
- Tracking technical debt. To some extent, every organization has acquired technical debt, and although eliminating it entirely may not be realistic, leaders must strive to minimize it, said Chaudhry. “There is a healthy amount of technical debt you live with. The buildup is what can get you if you let it get out of control.”
- Investing in the future. Ambrozie agreed, noting that there’s a tendency to let debt accumulate from year to year, particularly when things are stable from a financial standpoint. “It’s very important to invest in that technology and eliminate as much technical debt as possible,” while also keeping systems current. “I don’t think we could have done what we did this past year without having those elements in place, and without having invested on a consistent basis.”
- Thinking on your feet. For Miri, the biggest takeaway from 2020 was the ability to “deal with unknown obstacles that are coming your way,” and, when you don’t have the right tools or resources, be able to make do with what you have. “That ingenuity and the ability to be agile on your feet became critical,” he said.
All of these factors, however, would be null and void without the ability to secure data; a feat that become exponentially more difficult with the seismic shift to virtual health. As the industry adapted to enable care (and work) outside the home, and as researchers gained more information about Covid-19, the attacks evolved. According to analysis performed by Proofpoint, threats ranged from imposter emails purporting to come from the CDC, to offers to purchase PPE, to false tax stimulus information. Now, said Witt, hackers are targeting the vaccine supply chain.
And they’re leveraging social engineering as a means to launch attacks, he noted. “The same level of dedication, sophistication, and patience that led to a cybercriminal finding a zero-day exploit has now been deployed to harvesting data from Facebook, LinkedIn and other social media sites.” It’s an area Proofpoint will continue to track closely, he noted. “We believe understanding where attacks are occurring is the best way to figure out where to roll out your adaptive controls.”
It starts with identifying the weakest link, which, more often than not, is the human element. And the easiest way to gain entrance is through social networks. “That’s what we’re most afraid of,” said Chaudhry. “And the only way to combat that is through education and proliferation of best practices.” That means going beyond anti-phishing campaigns and ensuring your teams can differentiate between communications that come from leadership, and possible scams.
While it certainly isn’t easy, it has become an essential component in the ever-evolving CIO role — and not something that can be delegated to security leaders, Chaudhry noted. “There can’t be a day that goes by when you’re not thinking about cybersecurity. Having a CISO doesn’t offload that; it means you have a partner you can strategize and work with.”
For Ambrozie, who is new to healthcare – having previously held leadership roles with the Walt Disney Company and American Express – involvement in security is essential. “It’s not just about being supportive of the CISO,” he said. “The CISO doesn’t develop the code. The CISO doesn’t necessarily run infrastructure.” Rather, it’s the CIO who must fight to secure funding, and drive the infrastructure and development teams to do the right things within the right timeframes.
That partnership will only become more important going forward, Chaudhry added. “The bad elements are going to stay one step ahead, because they’re always researching ways of attacking. We’re constantly being attacked and it’s not going to get easier.”
It’s a lesson Miri’s team learned when a forum designed to facilitate PPE exchange was attacked minutes after going live. “Luckily we had our defenses in line. We have a defense-in-depth strategy and stack around that,” he noted. But if a “simple forum” created to help protect clinicians can become a target, anything can.
What it also means is that leaders can’t underestimate the level of sophistication when it comes to attacks, and how far bad actors will go to determine how best to penetrate both the organization and the individual, noted Witt. “They will make assertions about your hierarchy and your level of authority. And they’ll launch very compelling lures leveraging this incredible amount of data, which unfortunately is out there in the public.”
On the bright side, because of the high-profile breaches that have occurred, executive boards have become increasingly aware of the need to invest in security, he said. “It’s an interesting point in time where the linkage between digital innovation and cybersecurity is totally connected to a hospital’s mission.” On the flip side, they’ve also recognized that the edge of the network has been extended with the increase in remote work. However, “the bad actors recognize this as well,” he said, which means “you need to put controls in place to protect the threat vector, because once they’re in, they wreak havoc.”
Because more “havoc” is the last thing any healthcare organization needs, Witt cautioned against the DYI approach that can lead to trouble. Instead, he recommended that leaders identify a trusted security provider, and leverage their resources and expertise to implement the right controls.
What to expect in 2021
Finally, the panelists discussed the most prevalent trends of 2021, which included: cloud providers continuing to infiltrate healthcare; innovative products with integration capabilities; more mergers and acquisitions among vendors and health systems; and an increase in digital savvy among patients — and, as a result, higher expectations in terms of engagement.
“What we saw with COVID 19 particularly was that it’s no longer okay to force your patients to have to only engage with you in one or two modalities,” said Miri.
In terms of organizational priorities, digital transformation and machine learning topped the list, making it more critical than ever for CIOs, CDOs and other leaders to expand their skillsets and demonstrate a willingness to grow. “I think 2021 is going to bring a cycling of organizations looking to modernize the role of the CIO and look for people who are didactic,” Miri noted. “If you’re a dinosaur IT leader, and you do not understand how the business works, you’re going to find yourself looking for another job very soon.”
To view the archive of this webinar — Future State: Envisioning 2021 & Beyond (Sponsored by Imprivata) — please click here.