At the CHIME16 CIO Fall Forum, Tony Scott, CIO, U.S. Office of Management & Budget (OMB), urged healthcare CIO attendees to change the conversation around cybersecurity from one of traditional organizational approaches to one centered on quality and digitization.
Scott, the third CIO of the United States, appointed by President Obama on Feb. 5, 2015, and formerly of VMware Inc., gave the closing keynote on the first day of the College of Healthcare Information Management Executives (CHIME) CIO Fall Forum at the JW Marriott Phoenix Desert Ridge Resort in Phoenix, Ariz. Scott said that at the White House, his team is sharply focused on digitization and the effect it has on every enterprise around the world, no matter the industry.
But, he said, it’s important to remember that digitization is different than automation. “Much of the money we have spent on technology over the last 30 to 40 years has essentially been on automating manual processes. Computers sped it up, but the workflow didn’t change much,” Scott said. However, in an era with mobile devices, sensors and the like, work shouldn’t be done the way it was done before, he attested. “We have a chance to re-invent how things get done. We have seen it take place in the media and entertainment industry, in banking, and in transportation. Digitization affects everything, including government,” Scott said.
But Scott said that there is a clear missing link with digitization right now: an institution’s organizational charts are a challenge, as they get in the way of sectors and people realizing their full potential. “If you look at the technical architecture, the apps, the infrastructure, and how work gets done in any institution, and if that’s a 1:1 match for your organizational chart, you’re in trouble,” Scott stated. “If that’s the case, you’re probably not thinking digital through the use of modern technology.”
He added, “What’s better is if every design you do starts with the customer viewpoint, so the outside in. How does the customer want to get information and use it? That’s real digitization.” This approach, Scott continued, sounds simple, but the way things are run and operated on in most organizations are too tightly bound to the organizational charts. “The lesson learned is that digitization will blow that paradigm up, one way or the other. Economics, information flow and customer demand drive you to a completely different place,” he said, adding “CIOs have to be at the forefront of that.”
Scott noted that the federal government spends $80 billion per year on information technology, making it the single largest purchaser of information technology in the world. “We have great buying power, but spend most of it just ‘keeping the lights on’ pretty old stuff. Some [technology systems] we have are 20, 30, and 40 years old, and those things can’t serve the needs of our modern enterprise and also can’t be protected well,” he said.
In healthcare, Scott said he sees many of the same problems he saw when he was chief technology officer at General Motors. At that time, the common thought was that American cars simply couldn’t keep up to speed with Japanese car manufacturers. “People said the American car industry was on its death bed. No one wanted to buy one,” Scott recalled. But then he said, the conversation started to change to one about quality; the Baldrige Award was created (the Malcolm Baldrige National Quality Award is presented annually by the president of the U.S. to organizations that demonstrate quality and performance excellence), and the discussion became about what can be done together, what can be learned, and what processes can be put in place to evolve. “So in this industry, American car manufacturing became [better] across the board as a result,” he said.
Scott said it’s the same idea in healthcare. “You’re taking some of those same techniques, methods and tools, and applying them in a different space,” he said. For cybersecurity specifically, he continued, every time there is an incident, breach, or failure, “I think we should think of it is a quality issue. It’s a defect in the design, implementation, and operation of information systems. You can take those processes, techniques and tools and apply them in this critical space. But you need to go back to the design to have an impact,” Scott said.
As such, the hope is that work with the National Institute of Standards and Technology (NIST) and the Baldrige program will help to change the conversation, Scott said. “Rather than say, ‘hey this is bad or did you hear about this breach,’ you can instead say, ‘what lessons did we learn, how can we apply this type of quality to this space, and how can we measure the impact of the work we have done? Changing that conversation is important in the digitization journey and the cybersecurity journey. That’s when you can see dramatic results,” he said.
Scott gave an example of this working in the federal sector. Ten years ago, a standard was passed for two-factor authentication: PIV (personal identity verification) cards. Every federal agency CIO was told that they must implement PIV cards for two-factor authentication for all users across the federal government, Scott explained. “We got to about 40 percent implementation across the government when I got there, which means only 40 percent in 10 years [or so] time,” he said.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.