So many great discussions and interactions took place during the Health IT Summit in San Diego last week, sponsored by our publication, Healthcare Informatics. Whether the subject was “The Evolution of the Senior IT Executive: Strategic Roadmaps for Value-Driven IT,” the title of a panel discussion that I was privileged to be able to moderate, with several leading CIOs and healthcare IT leaders participating; or the cybersecurity panels on day 2 of the Summit; or the opening keynote, delivered by Michael Restuccia, vice president and CIO of the University of Pennsylvania (Penn) Health System, one striking element last week was the extent to which human factors—especially culture and leadership—figured prominently in all the discussions in San Diego.
Discussing his assertive leadership over the past several years to move Penn Medicine forward in terms of healthcare IT advancement, Restuccia, who’s been at Penn Medicine for 11 years now, nine of them as CIO, used some of his time in his keynote address to talk about the significance of culture in relation to his leading IT in the organization.
Restuccia put it to his audience this way: “Two things about Penn Medicine: it’s obviously big—we’re six hospitals now, and a $7 billion organization, and we now stretch from Lancaster [County, Pennsylvania] to the Atlantic Ocean” (in Delaware). “And it has a Quaker heritage, and that’s our culture. And my point on this is, you’ve got to know our culture,” Restuccia said. “The Quaker culture involves cooperation and discussion. As a result, nothing happens really fast, and decisions require a lot of discussion, but once they’re made, things move fast. Learning the culture was tough for me. I learned it, after making some edicts that got smacked back at me.” Importantly, he remarked, “In 2007, almost all of the IT was outsourced to a third-party firm. There weren’t a lot of really good relationships between IS and the departments; there wasn’t a good consultative approach.” As a result, he said, “The IS culture really didn’t align very well with the world-renowned research and clinical care taking place there.” In other words, one key to the successful forward evolution of the IS team and enterprise at Penn Medicine has absolutely been understanding the culture of the organization at Penn Medicine, and moving forward in concert with it, rather than working against it.
The theme of culture came up repeatedly during the panel “The Evolution of the Senior IT Executive: Strategic Roadmaps for Value-Driven IT,” which I had the privilege and pleasure to moderate. Indeed, our panel discussion immediately followed Michael Restuccia’s keynote, and Restuccia himself was one of my panelists, along with Chris Longhurst, M.D., the CIO at UC San Diego Health; Audrius Polikaitis, assistant vice president of health information technology and CIO at the University of Illinois Hospital Health Sciences System, based in Chicago; and Clark Kegley, assistance vice president, information services, at Scripps Health (San Diego). Among the themes that emerged during that panel discussion was the importance of healthcare IT leaders learning and understanding how to work with their colleagues in their organizations, in ways that have matched the norms of their organizational cultures, even as they strive to lead their organizations. For CIOs and other healthcare IT leaders, it’s always a tricky dance, requiring the need to “fit in” to their organizational cultures while also being change agents and true leaders.
And the theme of culture even came up in the cybersecurity panels on day 2 of the Health IT Summit.
For example, towards the end of the panel discussion entitled “Ransomware Risks: What We Learned From NotPETYA and WannaCry,” during the question and answer portion of the session, Clark Kegley, the assistant vice president of information services at Scripps Health, who had participated on panels the previous day, but who was an audience member during this panel discussion, said, “Historically, IT was assigned the disaster recovery part, and the business had the business continuity part. How do you bridge that gap?” he asked the panel.
“At Sharp,” responded Chris Convey, vice president, IT risk management, and CISO at the San Diego-based Sharp Healthcare, “we go around and talk with the various leaders of the various segments of our organization. And part of this job is going around and really talking to the leadership and saying, we don’t mean to scare you, but this is where we need your help. There’s no way I can think of to approach this, other than with that level of cooperation.”
“About a year and a half ago, our board listed disaster recovery as a key issue for the organization,” noted Stan Banash, CISO at Children’s Hospital of Orange County (in Orange, California). “At that time, when I was brought into the conversation, the COO was already involved. And I was able to shift the conversation rom DR and to business resiliency. And in the end, they put together a steering committee for business resiliency; and we’ve created a new position for business resiliency, under the COO. And so that issue has been addressed.”
And yes, all of those elements cited by Messrs. Convey and Banash speak to the importance of culture. Indeed, CISOs and CIOs are finding that, in their efforts to educate their colleagues on cybersecurity, they need to help create cultures of security in their organizations. Cybersecurity, and data and IT security in general, can’t be the “job of IS” in any patient care organization; it has to be woven into the warp and weft of a patient care organization’s culture; after all, every patient care organization has countless points of cyber-vulnerability, in the guise of every end-user—and that makes healthcare an industry that faces almost unique cybersecurity challenges. As I like to say when I reference those challenges, all any hospital-based organization needs to fall victim to the evildoers is for Dottie in Accounting to open an innocent-looking email with the subject line, “About Your FedEx Package.” Of course Dottie opens the email—who wouldn’t? And thus begins a ransomware nightmare. What every one of the healthcare IT security leaders on that panel agreed on, was the need to create cultures of data and IT security, given that patient care organizations in healthcare are almost uniquely vulnerable to cyberattacks, given that they have thousands of end-users whose actions can quickly endanger their data and IT security. So the solution is necessarily enterprise-wide and cultural.
All of this speaks to a fundamental set of challenges and opportunities for CIOs, CMIOs, and other healthcare IT leaders. Whatever their technical and professional capabilities and expertise, healthcare IT leaders need to ally their skills to their organizations’ cultural norms; being change agents can never be achieved in a vacuum.
So in the end, while it’s not surprising, it is worth underscoring the people skills that healthcare IT leaders will need to hone and leverage, in order to move their organizations forward around strategic IT priorities. And it was fascinating to have that point underscored regularly at our Health IT Summit in San Diego last week—by CIOs, CISOs, and pretty much everyone else.