At the CHIME16 CIO Fall Forum, Tony Scott, CIO, U.S. Office of Management & Budget (OMB), urged healthcare CIO attendees to change the conversation around cybersecurity from one of traditional organizational approaches to one centered on quality and digitization.
Scott, the third CIO of the United States, appointed by President Obama on Feb. 5, 2015, and formerly of VMware Inc., gave the closing keynote on the first day of the College of Healthcare Information Management Executives (CHIME) CIO Fall Forum at the JW Marriott Phoenix Desert Ridge Resort in Phoenix, Ariz. Scott said that at the White House, his team is sharply focused on digitization and the effect it has on every enterprise around the world, no matter the industry.
But, he said, it’s important to remember that digitization is different than automation. “Much of the money we have spent on technology over the last 30 to 40 years has essentially been on automating manual processes. Computers sped it up, but the workflow didn’t change much,” Scott said. However, in an era with mobile devices, sensors and the like, work shouldn’t be done the way it was done before, he attested. “We have a chance to re-invent how things get done. We have seen it take place in the media and entertainment industry, in banking, and in transportation. Digitization affects everything, including government,” Scott said.
But Scott said that there is a clear missing link with digitization right now: an institution’s organizational charts are a challenge, as they get in the way of sectors and people realizing their full potential. “If you look at the technical architecture, the apps, the infrastructure, and how work gets done in any institution, and if that’s a 1:1 match for your organizational chart, you’re in trouble,” Scott stated. “If that’s the case, you’re probably not thinking digital through the use of modern technology.”
He added, “What’s better is if every design you do starts with the customer viewpoint, so the outside in. How does the customer want to get information and use it? That’s real digitization.” This approach, Scott continued, sounds simple, but the way things are run and operated on in most organizations are too tightly bound to the organizational charts. “The lesson learned is that digitization will blow that paradigm up, one way or the other. Economics, information flow and customer demand drive you to a completely different place,” he said, adding “CIOs have to be at the forefront of that.”
Scott noted that the federal government spends $80 billion per year on information technology, making it the single largest purchaser of information technology in the world. “We have great buying power, but spend most of it just ‘keeping the lights on’ pretty old stuff. Some [technology systems] we have are 20, 30, and 40 years old, and those things can’t serve the needs of our modern enterprise and also can’t be protected well,” he said.
In healthcare, Scott said he sees many of the same problems he saw when he was chief technology officer at General Motors. At that time, the common thought was that American cars simply couldn’t keep up to speed with Japanese car manufacturers. “People said the American car industry was on its death bed. No one wanted to buy one,” Scott recalled. But then he said, the conversation started to change to one about quality; the Baldrige Award was created (the Malcolm Baldrige National Quality Award is presented annually by the president of the U.S. to organizations that demonstrate quality and performance excellence), and the discussion became about what can be done together, what can be learned, and what processes can be put in place to evolve. “So in this industry, American car manufacturing became [better] across the board as a result,” he said.
Scott said it’s the same idea in healthcare. “You’re taking some of those same techniques, methods and tools, and applying them in a different space,” he said. For cybersecurity specifically, he continued, every time there is an incident, breach, or failure, “I think we should think of it is a quality issue. It’s a defect in the design, implementation, and operation of information systems. You can take those processes, techniques and tools and apply them in this critical space. But you need to go back to the design to have an impact,” Scott said.
As such, the hope is that work with the National Institute of Standards and Technology (NIST) and the Baldrige program will help to change the conversation, Scott said. “Rather than say, ‘hey this is bad or did you hear about this breach,’ you can instead say, ‘what lessons did we learn, how can we apply this type of quality to this space, and how can we measure the impact of the work we have done? Changing that conversation is important in the digitization journey and the cybersecurity journey. That’s when you can see dramatic results,” he said.
Scott gave an example of this working in the federal sector. Ten years ago, a standard was passed for two-factor authentication: PIV (personal identity verification) cards. Every federal agency CIO was told that they must implement PIV cards for two-factor authentication for all users across the federal government, Scott explained. “We got to about 40 percent implementation across the government when I got there, which means only 40 percent in 10 years [or so] time,” he said.
A few years later, a major breach at OMB happened. Scott and his team analyzed it and saw how the attack materialized; indeed, it was privileged users being compromised, which could have been prevented by this two-factor authentication implementation, he said. “So I said at the time, in the next six weeks, not six years, we will make big progress. And in six weeks, we got up to over 80 percent implementation, and 100 percent implementation for privileged users. How? Well, we said that it’s a priority, we said we will have a public score card, report results every week, and I challenged CIOs to measure it and have a public display. I asked them if they wanted to be at the top or the bottom of the list. And yes, we did other things as well, such as patching vulnerabilities and reducing the number of system administrators, but it shows you what a focused effort looks like,” Scott said.
That strategy inspired Scott’s team to embark on a cybersecurity national action plan, he said. “Whatever time I have left in this administration, one of the things that’s so important for us to do is leave with a different message,” he concluded. “Not only is cybersecurity important, but there is something we all can do about it—when we recognize good work, share it across the community.”