There’s a little secret when it comes to doing advocacy work. Although the core objective is to push the industry forward by giving healthcare leaders a voice and influencing decision-making, there’s also another key advantage for those who put in the time: education.
For Brian Sterud, recipient of the 2023 CHIME Public Policy Award, being involved in committees and workgroups has helped him to better understand the implications of the many regulations being handed down. “I still feel like I don’t have a good enough handle on a lot of the things that are coming out, but I can only imagine what it would be like if I wasn’t involved.”
Fortunately for CHIME, Sterud – who serves as CIO and CISO at the Nebraska-based Faith Regional Health Services – most certainly is involved. In fact, he’s moderating a session at ViVE24 (on Monday, 2/26 at 10 am PDT) entitled, “The Providers Strike Back: Policy Jedi Masters,” which will feature fellow advocates Saad Chaudry, Mari Savickis, and Tressa Springmann.
Recently, healthsystemCIO spoke with Sterud about his key areas of interest in the policy space; the cybersecurity burden facing small and rural hospitals; and why networking is “worth its weight in gold.”
On winning the CHIME Public Policy Award
Gamble: Hi Brian, as always, it’s great to speak with you. First off, congratulations on receiving the Public Policy award! That’s such a big honor. What were your thoughts when you first found out?
Sterud: It was extremely humbling. Honestly, there are so many other people who are more deserving; people who spend more time on this and are able to do more than me. Where I was able to make an impact was by reviewing documents on short notice and providing comments. But yes, it was very humbling. I was thankful to be honored in that way.
Gamble: What are some of the areas that are most interesting to you in terms of policy?
Sterud: I don’t want to be completely pigeonholed based on the size of the organization. Faith Regional is certainly smaller than some of the large health systems, but we’re larger than a significant number of hospitals too. And so, I think I can provide the perspective of a small to mid-sized organization. But I think everyone has something to offer, regardless of the size of the facility.
The other key area is that I also serve as our chief information security officer in addition to CIO. We’re never going to be big enough to have both of those roles. And so, I represent the voice of cybersecurity, both from a holistic perspective and from the perspective of a facility of our size.
On the Patch Act
Gamble: Can you give a little more information about the PATCH Act and some of the advocacy efforts in that arena?
Sterud: I’ve done some work with the Protecting and Transforming Cyber Health Care (PATCH) Act to create stricter cybersecurity measures for medical devices. We need to get to a point where we can have a better understanding of what’s happening with devices. It also sets the stage for vendors to be a bit more active in this area than they’ve been in the past. It puts more onus on them and to provide a software bill of materials (SBOM) to help identify potential vulnerabilities. In the past, we would purchase a solution and look under the hood only to see other components that we may not have known about. Now, it’s part of the process to include all of that.
To be honest, I think it remains to be seen how dramatic the impact of the PATCH Act will be. I think as with anything, acknowledging that there’s an issue is the most important piece. We may not have figured out how to fix this, but I think getting a spotlight on it and understanding that there is an issue is a pretty critical first step.
getting the attention and understanding that there’s, there is an issue as was a pretty critical first step.
On resources for small and rural organizations
Gamble: One of the positive trends we’ve seen in the cybersecurity industry recently is more awareness around the resources that are available for small and rural facilities that are financially strapped. Has that been a key focus for CHIME’s Public Policy team?
Sterud: It has. One area in which we’ve tried to beat the drum — and will continue to beat the drum — is in bringing more attention to the work the 405(d) Task Group is doing to provide best practices for reducing security risks in a cost-effective way. You can go in and learn more about what you should be doing, based on the type of facility. There’s so much value in that.
And then recently, HHS published the Cybersecurity Performance Goals, which align pretty nicely with the 405(d) practices for securing information. That’s something a lot of CIOs and CISOs are looking at in terms of how do we deal with these things and how do we align it with what we’re already doing?
On the cybersecurity cost burden
Sterud: There are definitely organizations that struggle with the cost of cybersecurity services. But at the end of the day, it’s one of the things that can really impact our ability to be financially solvent, to be honest. Investing cybersecurity — that’s table stakes, and it’s necessary to protect against a large breach, which can be crippling to an organization. You have to make those additional investments.
Of course, you have so many other things going on, including increased labor costs and issues with reimbursement. On top of that, the payer mix has been a challenge for many organizations. It’s a lot, and it’s very hard to know whether you’re doing all the right things. Meanwhile, you still have to produce a strong enough bottom line to cover your expenses, which is becoming harder to do. It’s definitely challenging.
On cyber performance security goals
Gamble: It really puts a lot of pressure on leaders, especially those at smaller organizations.
Sterud: It does. It would be nice to go to bat and say, ‘I need more funds to invest in cybersecurity.’ The problem is that, in some cases, you’re asking for something that doesn’t exist, and so you’re forced to do some triaging. Do we have to do this? Is this something that can wait?
At Faith Regional, I think we’re in a good position. We’ve scored well on our assessments and we’re doing a lot of good things. Nobody is doing everything they can possibly do; but you need to make sure you’re doing everything you can with what you have.
On getting involved in policy
Gamble: I can see that policy work is really important to you. How did you get involved in it?
Sterud: I love that question because I believe everybody has strengths and weaknesses. For me, I don’t enjoy reading policies. I don’t enjoy reading contracts. But it’s a fact of life that in my role, you need to be able to do those things. You need to become at least decent at reading contracts. And so, it’s an odd marriage between those two worlds.
I’m not sure how exactly I got involved in policy, but I’ve been doing it for a few years. It’s not necessarily a core strength of mine, but I believe working with committees and working with CHIME is so monumentally important to CIOs in terms of understanding either what’s coming down the pike or what has been released, and helping to distill what it means.
Having that collaboration is much easier than sitting in an office trying to read through it and understand it on your own. I think that’s part of the reason why I got involved: so that I can have a voice. I still feel like I don’t have a good enough handle on a lot of the things that are coming out, but I can’t imagine what it would be like if I wasn’t involved. I can’t imagine what it’s like for someone who isn’t part of these conversations to find a way to sift through everything.
On the value of CHIME cheat sheets
Gamble: It’s interesting because obviously it’s helpful for the industry when CIOs and other leaders are involved in policy discussions, but it seems like it has benefited you personally.
Sterud: Definitely. One of the biggest things CHIME does is provide ‘cheat sheets’ to help people understand what’s happening with policies and what we need to do comply. For example, I was just looking at one for the HTI-1 (Health Data, Technology and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing) Final Rule. What does it mean if I’ve developed my own algorithm? What are the new criteria for certification? These are important questions. Cheat sheets are a great way for people to maintain the knowledge they need.
On successfully navigating ViVE and other events
Gamble: When you’re at events like ViVE, I imagine it can be overwhelming, especially for those from smaller organizations or people who don’t usually get to attend shows. Any advice on how to get the most out of these types of events?
Sterud: Honestly, it’s always a challenge. Some people have a strategy when they go to conferences, but I don’t tend to do that. For me, it’s more about, what’s top of mind? What problems are we trying to solve? Is there new technology that I want to learn about? It’s going to be different from one CIO to the next, based on your priorities. If your organization is, for example, going through an EMR transition, that consumes your entire world. And so, you’re probably looking very closely at those types of things. A lot of organizations are implementing a new ERP system, which involves evaluating partners and solutions.
A lot of us are really struggling with workforce issues: how can we retain people and what outsourcing opportunities are there that that might be a good enough fit? Even if that’s not our first choice, are there ways that we can utilize outsourcing in a smart way to help handle some of these issues, at least in the short term?
It’s about finding solutions or having conversations about the issues you’re dealing with at your organization.
On the value of networking
Gamble: It’s also about growing your network, right? Finding people who you can reach out to you when you have questions. That’s so important, especially now.
Sterud: Yes. For me personally, I get more from networking and meeting people than anything else. It’s so important to talk with people and form those connections. And you might not reach out to them right away. It may be six months later that you say, ‘I remember meeting Kate and talking about a problem that she has at her organization. I’m going to call her.’ That’s worth its weight in gold.
On the $50K omelet
Sterud: Another thing I would add is that I used to be part of a networking group that would meet for breakfast. It was a chance to talk with other people who are in the same boat. I remember being at one of those breakfasts at a conference and something came up about a licensing issue that we weren’t aware of.
All it took was five minutes and we saved $50,000 by avoiding a mistake. For larger organizations, the number would’ve been much higher. That always stuck with me; you could be sitting down eating an omelet and shooting the breeze with someone and learn something so important. I can promise you that the trip didn’t cost the organization $50,000. And so, I always keep that in mind. You can come back from a conference with a wealth of knowledge packed into a giant notebook, but then there are those $50K omelets that can happen based on networking.
On building relationships
Gamble: It’s amazing what can come from an impromptu conversation. I guess the message is to keep your eyes and ears open, right?
Sterud: Yes. And I know this may sound cliché, but cliches are cliches for a reason. The people you meet become your friends. And you build those relationships by having social conversations. There are just so many benefits to having a good network.
Share Your Thoughts
You must be logged in to post a comment.