Thursday, September 15, 2011

Authority, Responsibility, and Risk

When I became CIO of CareGroup/BIDMC in 1998, I promised to listen to all my staff and collaboratively embrace technologies that would benefit patients while also enabling employee career growth.   The IT team worked together to implement new infrastructure and new applications.   Success led to an upward spiral of success.    Other groups such as Media Services, Knowledge Services, and Health Information Management joined  IS.  We continued to grow in scope and capability.  

My sense at the time was that additional authority, budget and span of control were great - more was better.

However, in my nearly 15 years as CIO, I've learned that while more authority may bring more opportunities to succeed, it also brings increased responsibility and with it, additional risk.

In a world of increasing regulatory pressures and compliance requirements, the likelihood of something bad happening every day in a large organization is high.    The larger your role, the larger your risk.

Today in my BIDMC role I oversee

83 locations
18000 user accounts
9000 desktops/laptops/tablets
3000 printers
600 iPads
1600 iPhones
450 servers  (200 physical, 250 virtual)
1.5 petabytes of storage

serving over a million patients.

If one employee copies data to a USB drive and loses it, a potential breach needs to be reported. If one workstation is infected with malware that could have transmitted clinical data to a third party, a potential breach needs to be reported.  If one business associate loses an unencrypted laptop, a breach needs to be reported. 30,750 such breaches have been reported since HITECH took effect   All breaches are the CIO's responsibility.

If one IT project is over time or over budget, it's the CIO's responsibility.

If one IT employee goes rogue, it's the CIO's responsibility.

If one server, network, or storage array fails, it's the CIO's responsibility

If one application causes patient harm, it's the CIO's responsibility

Life as a CIO can have its challenges!

At the same time that responsibilities are expanding, the number of auditors, regulators, lawyers, compliance specialists, and complex regulations is growing at a much faster rate than IT resources.

There are three solutions

1.  Spend increasing amounts of time on risk identification and mitigation
2.  Reduce your responsibility/accountability and thus your risk footprint
3.  Find a nice cabin in the woods and homestead as far away from regulatory burdens as possible

I'm doing #1 - about 20% of my day is spent on matters of risk, compliance, and regulation.   I'm doing #2 by transitioning my CIO role at Harvard Medical School to a successor.  #3 sounds appealing but I'm not there yet!

As healthcare CIOs face new regulations for e-prescribing of controlled substances, FDA device safety requirements, 5010 implementation,  ICD-10, new privacy rules, and Meaningful Use stages 1-2-3, the magnitude of the challenges ahead may at times seem overwhelming. I sometimes long for the days when all I had to do was write innovative software and create a nurturing environment for my staff!

There are 3 negative consequences that can result from overzealous regulation:

1.  The joy of success can turn into a fear of compliance failure
2.  Compliance can create such overhead that we lose our competitiveness
3.  We'll become less entrepreneurial because the consequences of non-compliance, such as loss of reputation, penalties, and burden of responding to agencies enforcing regulations, become a deterrent to innovation.

For now, I have accepted the risks that come with all my responsibilities, but at some point, the balance may become more challenging to maintain. As we move forward, I hope that policymakers in Washington and at the state level will be mindful of the unintended consequences of regulatory complexity.


James said...'ve got a lot of responsibility on your shoulders! Love your blog.

Medical Quack said...

Yes, you do have a lot and always offer "hands on" information with consumer Health IT too, not many do that out there and heck I can't even get the ONC folks to share a little success on how they use a PHR to maybe get some role models out there, but I keep hinting as that would help.

In the news this week was Wellpoint and their upcoming use of IBMWatson, well relative to the way laws are made and the untended consequences we end up with, I'm back again talking about how Congress could really use the 70 server technology that handles 200 million documents/data in 3 seconds to query and model the results of their regulatory propositions as business has changed and a huge surge of mergers and acquisitions and they need some big tech power to predict and potentially identify what areas laws and regulations will touch.

When a company in as little as 48 hours can crank out an algorithmically designed business model and begin rolling it out, how does any lawmaking body compete, they can't. They might just get along better too if they had full open sessions to query and gather the information from the same origins as well instead of fragments from the GOA, CBO, etc. and trying to put it together.

One other item on machine learning I commented on too related back to the video that Kevin Slavin did on how algorithms are shaping life around us, which was excellent and I have used it on a few posts myself.

The example of the algos on Amazon reacting with each other and causing a bidding war on a book to go up to $12 million was pretty wild to say the least, but his word was to be aware and look for those things and he used the quants of Wall Street and Nanex as his sources and how they are trying to figure what happened so thus I see a warning for healthcare to approach slowly and get it as right as they can from the start.

How CIOs keep up today I don't know as there is so much on the platter and it keeps growing so add on some machine learning and a few rogue algorithms in the diagnosis process, claims and other areas of the visit...well it could get very interesting and how are the CIOs going to fix or help in this area when the writing of the code that comes in to a medical record system becomes unreadable? I guess you could just shut it off or hit an ignore button but we know that won't suffice and create the answers expected form the CIO:)

What happens when we get int healthcare with machine learning extenuated, like when Well point rolls out? Will we need to hire some quants next? I made my humerous comparisons as to the algorithms they could possibly be plucking out to name, like CPT chaos or the ICD shuffler.

You are right everything is moving very fast and it's all over the US in Health IT. Maybe Nanex will get a healthcare division to help us all out when the machine learning portion of all of this gets heavily infiltrated:)

Even the public CIOS have gone on record too with having a hard time keeping up and they too have had to learn more about healthcare IT than they ever dreamed of.

If our lawmakers could only unite and use technology to model and do a bit of quantified predictive behavior it would help all of us out with perhaps avoiding some of the unintended circumstances that arise.

Center for Patient and Professional Advocacy said...

At Vanderbilt University, we have reduced medical risk by using an evidence-based intervention system called PARS. We also offer an interactive and case-based educational program, Promoting Professional Accountability, which provides methods for addressing unprofessional and disruptive behavior. Find more information on our Website: