Inside CHIME: HHS CIO Talks about Conflicting Rules, Cyber Threats and Innovation at CHIME17

Inside CHIME - header

By Candace Stuart, Director of Communications & Public Relations, CHIME

U.S. Health and Human Services CIO Beth Killoran discussed the agency’s role in health IT innovation and its efforts to engage industry, CIOs and others to improve healthcare at the CHIME17 plenary session on Nov. 1 in San Antonio. She then took questions from CHIME CEO and President Russell Branzell. Here is the Q&A, which has been edited for brevity.

Branzell: Members in the audience occasionally get frustrated with competing requirements, for example, requirements for information sharing, openness and then strict rules about security and that we should be closed off. How can you help us rectify these competing directives?

Killoran: We know that right now our department is known as the” Wall of Shame” people, that all we do is give you fines when you have a cyber breach; and once you have one of these breaches, your failure lives in infamy forever. We are trying to change that. Part of the new administration is that we understand a cyber breach is not a matter of if; it is a matter of when.

But each of you can show how you are mitigating that risk. In the federal government, there is a framework to mitigate risk. I know that OCR (Office for Civil Rights), ONC (Office of the National Coordinator for Health IT) and our general counsel have some capabilities to show you how to mitigate that risk. We are trying to have you be able to demonstrate how you are building that risk mitigation model into your environments. If you have built those in, in the event that you do have a breach, (you can demonstrate that you) understand where the weakness came from, that you have then resolved where the risk came from and are mitigating the risk going forward.
This has to be a risk-based conversation. It can’t be a “gottcha land.” That is what we are trying to do in my organization.

There is not one number to call. That is why we are setting up a senior adviser and a communication center (the Health Cybersecurity and Communications Integration Center) so you have one number to call if you need to know how to identify, how to protect or how to respond to cyber incidents in your organization. Let us figure out what we have to do to help you on the backend. It could be in our organization or it could be across HHS or even with the Department of Homeland Security.

Branzell: CHIME has members from small-rural to critical access to the largest academic centers. What is the best way for our members to work with you in a partnership?

Killoran: We are trying to establish relationships with a number of entities, CHIME being one, HIMSS another, and also the National Health Information Sharing and Analysis Center, NH-ISAC. We know some of you are probably HITRUST (Health Information Trust Alliance) members. We are trying to work with those entities already established and use the relationships you already have. Let us connect to those relationships as opposed to you having to figure out how to connect to us.

We will be doing tabletop exercises to say what would happen in the event that we have another incident like a WannaCry or a Petya attack, which was a worldwide cyberattack. How can we help the industry? What we are focused on from a health perspective is those small and midsize organizations that may not have a dedicated IT staff: help them with some real-world, practical strategies that they can be doing on a daily basis to protect themselves.

Branzell: We dedicated a lot of the charity events to Direct Relief and the hurricane victims. It seemed like Texas and Florida, due to the credit of many of our members, fared well, especially from an HIT perspective. Then there is the total opposite case in Puerto Rico. What are some of the major lessons learned from those three disasters?

Killoran: Health and Human Services does a really good job of responding to disasters. We were able to respond quickly to all three hurricanes. It did strain resources a little bit to have three hurricane (responses) on the ground all at once. Each was a slightly different need from a health perspective, from flooding and waterborne diseases and health problems associated with mold, to power (losses and limited access) to safe drinking water, medicine and other necessities. We have been able to identify the individual capabilities.

In our department, we have an emergency response organization; it is the (Office of) the Assistant Secretary for Preparedness and Response. They (work) with the secretary and they champion resources across our agency. They bring resources in as needed and direct those resources in the time of the disaster. We are considering cyber to be another level of disaster. As those kinds of large events happened, our preparedness and response organization mobilized. They tapped into my organization and other parts of the department (to determine) what we needed to do to help my department and the healthcare sector at large.

Branzell: Are we innovating too fast? Is there too much technology that we can’t absorb? How do we get the benefit from all of this it?

Killoran: When I started in the federal government, and probably when a lot of you started, we had technology roadmaps that were probably five years long. That was about right because technology would mature on that playing field. Now technology roadmaps are 12 to 18 months; at the longest, 24. If you haven’t implemented within that amount of time, the technology has changed.

What you have to do from an innovation perspective is take one of two paths. The first is you need to be an early adopter because you have such urgent needs that it is OK to try and fail quickly. You can keep trying things and you have the resources to try and fail quickly so you can find the benefit and see what works in your organization. If you are more risk averse, then you might have a little bit more of a lag. You might make sure the technology has proven out in a year or so and then be an adopter after there are some lessons learned. You might partner with some organizations that adopted that technology and figure out how it will be applicable before you make those investments.

Each of us has a different budget but what you can’t continue to do from a technology perspective is keep putting technology in and ripping it out. It is very frustrating to the employees you have and very confusing to the constituents you serve.


More Inside CHIME