Nobody would argue that health systems did what they had to do during the initial Covid surge. Whether that involved ramping up remote workforces or quickly adding much needed vendors around technologies like telehealth – speed was the name of the game. However, when Covid cools down, Imprivata CTO Wes Wright says it’s critical to revisit what was done on the run to ensure security has been shored up. In this Partner Perspective interview, Wright talks with healthsystemCIO Editor-in-Chief Anthony Guerra about these issues, his career (including the value of his time in the military), and upcoming trends.
Guerra: Wes, thanks for joining me today.
Wright: Always my pleasure to have a conversation with you, Anthony.
Guerra: It is going to be a pleasure and I’m looking forward to it. Wes, tell us a little bit about your organization and your role over there.
Wright: Most folks in healthcare know Imprivata pretty well. That’s one of the reasons I chose to come to Imprivata. It’s a very, very well known, well trusted company, mostly known for our Tap & Go solution. But four years ago we purchased the Identity and Access Management Business of Caradigm and have really made the conscious decision to become healthcare’s digital identity company; and that is to help our customers control their digital identity from provisioning all the way to de-provisioning and all the pieces where digital identity is used in between there from re-authentications in EHRs to multifactor authentication. So, we’re not your mom and dad’s old Tap & Go company anymore. We’re a full-fledged healthcare solution.
As far as my role goes, I’m the chief technology officer. I’ve been on the provider side and this is my first venture out to the vendor side. I was on the provider side for about 25 years. My role is really super customer facing, in that I kind of know the pain that most of our customers are going through and can really help apply our solutions to solve some of that pain, so to speak.
Guerra: Tell me about your career on the provider side and some of the places you’ve been and things you’ve done that you’re most proud of.
Wright: Sure. As all healthcare chief technology officers do, I started out in the Air Force as a Korean cryptologic linguist.
Guerra: Haha. Is that very common?
Wright: Yeah, that’s the normal route for healthcare CTOs from what I understand, Anthony (LOL). Then I got out and came back in the Air Force. I spent my last 13 years in the Air Force as a health services administration officer and, within that career field, did CIO type of stuff. I did that the last 13 years I was in the military. I started out at a small community hospital in Japan, then a bigger hospital in northern California, and then finally ended up, as my last assignment, in Hawaii as the chief information officer for the Pacific Air Force Healthcare Medical Services, which meant I was responsible for the activities in hospitals in Korea, Japan, Guam, Alaska and Hawaii. I retired from there and went out to Scripps Health to work once again with my buddy Drex DeFord, as the CTO, although we called it Executive Director for IS, but essentially I was the CTO with Scripps Health and then we both moved up to Seattle Children’s where I was a CTO for four years and then CIO once Drex left for three years.
It was there at Seattle Children’s where I really caught the VDI bug. We had some patient safety issues and got together a group of clinicians and I asked, “What can we do better to help with this patient safety issue?” Surprisingly, one of the things that came up was access to the EHR – faster, more ubiquitous access to the EHR. We had been running a skunkworks project on VDI using Tap & Go kind of stuff to follow me desktop and so implemented that there. This really improved the efficiency and, I dare say, the safety somewhat of the clinicians there at Seattle Children’s. After seven years in Seattle, I needed to get some sun and moved (LOL).
Then I moved to Sutter Health where I was a CTO for three years and really wanted to see if that VDI concept, that follow me desktop concept, if it was scalable. So, implemented that there, kind of what we called digital transformation, desktop transformation. I used Imprivata’s Citrix XenDesktop, Office 365 and built that, and I had deployed it at 14 of the 24 hospitals by the time I left there and moved over to Imprivata where Gus (Malezis) uses me a lot to go out and advise clients.
Guerra: Just a personal interest question here – what did you learn in the military that helped you become a successful IT executive?
Wright: The longer I’m out – and I retired in 2006 – the more impressed I am with how much leadership education and training the Air Force provided me. As an airman, which is a very junior person in the Air Force, they taught me these principles. I’m a 22-year-old snot-nosed kid and they’re teaching me Maslow’s hierarchy of needs and how and why people react in the way they do. I think that’s how the Air Force or my military career served me the best. They really developed me as a leader, or at least I like to think that’s what they did. Secondary to that, I also learned the necessary technical skills to be a CIO, as the Air Force was moving me from hospital to hospital.
Guerra: It’s interesting. I would imagine you worked for or with people who you could tell never had such leadership training.
Wright: Sure. I’ve been in places where you hear a leader say something and you go, “Well, that directly contradicts with what a good leader should be saying at this point in time,” or you’re going to a meeting and immediately the person that is in charge of the meeting, the highest ranking person so to speak, says, “Here’s this problem and here’s a solution I think we should do.” I say to myself, “Wait a minute, that’s no way to solicit input.” The military taught me that you start with the lowest ranking person and ask them what their opinion is so they’re not being influenced by the rank in the room. So I think the military really did do well in teaching leadership.
Guerra: There certainly is a science to leadership. You can learn it. I want to shift gears now. We know that luminaries in healthcare have wanted to foster digit transformation and make things more electronic for patient encounters for a long time, and we know that COVID really accelerated that exponentially because it had to, because the encounter had to be.
Wright: Necessity breeds invention, that old cliché. For the longest time, CIOs, CTOs, CXOs in healthcare IT, we’ve known that this is what we needed to do from a telehealth perspective, from a digitization perspective with our patients, but we had two groups of dissenters. We’ve had the providers, the clinicians. They kind of say “Yeah, I’ll do telehealth when you pry my stethoscope from my cold dead hands.” They didn’t really have a choice this time, now did they? If they wanted to continue to see their patients and generate revenue, well they had to do it digitally and I think a lot of them now say, “This isn’t the bugaboo that I thought it was going to be. This is kind of slick.” And then you have the same kind of folks on the patient side of the house too. And so those things coming together I think really have changed healthcare to a good degree, not just good in volume, but good from a bad/good perspective as well.
But we’ve already seen those massive telehealth virtual health visits kind of plummet back from 80 percent down to 12 to 20 percent.
Guerra: That’s a big drop.
Wright: It is, but it’s kind of what I expected to see. Once the payer parity kind of went away I think that you could have anticipated that.
Guerra: People had to roll things out fast and now they are talking about going back and seeing what they bought – making sure it’s secure. Do you see that?
Wright: Yeah. The efforts they made were herculean at the beginning of the surge. Remember, back then, they were building tents and building other locations for Covid patients. Things were bad and everybody had to work from home. It all collided together. So, they’ve just done wonderful, wonderful things.
What we’re seeing at Imprivata – I’m taking this from a digital identity perspective because that’s kind of where I live now – but I wrote a blog probably two months ago entitled “Dang, I Wish I Would Have Had An Identity Governance System,” because what happened was like a spaghetti bowl that just keeps filling up.
For example, you had an ambulatory nurse that had these entitlements and rights and then all of a sudden he had to go over to staff a COVID ICU unit, so there were more rights and entitlements added to his digital identity capabilities and then maybe because somebody in the ED went out because they caught COVID, then maybe he had to go down to the ED. And then there were more entitlements and rights stacked on top of the entitlements and rights and then the organization said, “Okay, now, COVID has passed us, the surge is gone,” now he goes back to being an ambulatory nurse. Is anybody going to take away, or does even anybody know, those additional entitlements and rights were given to him during that COVID surge? And that’s something I think we’re going to have to deal with over the next 6 to 12 months.
It is untangling the spaghetti we made that’s important, because frankly there’s not a lot of healthcare systems out there that have an automated identity governance system where there’s automated provisioning and they can run reports on that nurse at points in time and see exactly what entitlements and stuff he has. We’re going to spend a lot of time digging through that, digging out of that.
Something I think is sorely needed in healthcare is that identity governance administration capability. It’s something that we’ve kicked down the road a long time because it’s not sexy. It’s like buying a new washing machine. Nobody really wants to buy a new washing machine but, gosh, every now and then you’ve got to buy a new washing machine. Nobody really wants to do this backend system stuff that the clinicians aren’t going to really see that much, but it’s just such necessary infrastructure, especially if you want to do digital transformation, that we’ve got to bite the bullet and get that done.
Guerra: I know it depends on an organization’s size and the roles they have, but is this a CIO conversation or a CISO conversation?
Wright: It’s a little bit of both. As you’ve heard me say more than once – digital identity is really the new control plan, the control fabric. That’s how you can account for and allocate those network resources and entitlements. I’ve seen that whole digital identity management piece start to move under the chief information security officer’s auspices because that’s, again, how you control risk, and if you think about the people who are most responsible for risk in a health IT organization or in a healthcare organization, it is the chief information security officer. Having been a CTO for a long time, I’d have a hard time giving that up, but it does make sense that it falls under the chief information security officers.
Guerra: I know Gartner put out a paper recently saying digital identity is a key fundamental building block for digital transformation from a security point of view. Tell me your thoughts on what you saw in there and did anything surprise you in that paper or did it just reinforce your perspective?
Wright: It was reinforcing more than anything, Anthony. Again, if you agree with the thesis – and I think it’s kind of obvious and hard to disagree with it – that digital identity is the single most important way you can control and de-risk your organization, then it makes eminent sense that you’re going to have to have a strong identity government strategy in place if you’re going to do digital transformation at a healthcare organization. You can transform everything you want, but if that nurse that we were talking about earlier still has access to all these other resources on your network, you have essentially just made the train crash faster from a digital identity or digital transformation perspective.
Guerra: So you think there’s a lot mess out there right know in terms of these privileges, access and privileges? Do you think there’s a whole lot of mess going on pretty much everywhere?
Wright: I do, yeah. Of course, you’ve got either end on the bell curve. There’s some people out there who are really doing this well, but the larger majority are not. It’s not a project; it’s a program. It takes a long time; it takes a lot of effort; it takes a lot of collaboration. It’s not something IT can just do themselves. In IT, we have a tendency to want to boil the ocean but this takes steps – we need to just start. So you can get caught in this vicious circle of planning for the implementation of an identity governance system for years, frankly, because it does take such collaboration throughout the organization.
I’m really proud of what we’re doing with our identity governance system in that we’re trying to streamline that process. We realize that these usually have been two to three year long projects and we’re saying “Let’s get you started. Let’s get five applications. Let’s work to see value in five or six months so that you’ll have something you can show,” and then you can point to your collaborators and say, “Hey, this is what we can do,” and then you just keep building on that, instead of taking that 2 year or 18 month cycle to plan things out. Let’s just start.
Guerra: So, as a final question, what is your advice? You said there is a big spaghetti bowl of a mess out there. Most CIOs are helping their organizations battle the second wave of Covid. When and how can they address the mess?
Wright: On the IT side of the house, we have a little more time than we had in that first surge because, remember, in that first surge we’re trying to figure out how everybody could work from home, how we could do telehealth and build other care sites. So, we have a little more overhead of time during this surge, and this might be a good time to really start looking at that, to start examining, “Okay, what does digital identity governance mean to my organization?” I encourage people to just start. That could be just mapping out your current processes. You’ve got a bunch of that spaghetti that you’re going to have to unwind out there and you might as well have a tool in place because that’s really what software is. Have a tool in place that helps you unwind that spaghetti, but also keeps it unwound.
Guerra: In parting, can we say that the spaghetti will get you if you don’t deal with it?
Wright: Yeah, it definitely will especially in today’s environment with the ransomware and stuff that we’re seeing. There’s people out who have a lot more entitlements and access than we think they do. If you get one of these ransomwares or one of these viruses, that’s when you’ll say, “Oh man, the spaghetti got me because this person’s got stuff all over the organization.”
Guerra: Alright, Wes, I think that’s about all I have for you today. I think it’s a great chat and I love our spaghetti analogy. I think that’s a great one. It’s always a pleasure.
Wright: Thanks Anthony.