A conversation with Chris Bowen, Chief Privacy and Security Officer and Founder at ClearDATA, reveals there is a way for IT teams to stay mission-focused without compromising security, privacy and compliance. Bowen discusses: the challenges today’s organizations face, when healthcare leaders should consider leveraging external resources, and practical strategies for getting teams back on track.
Q: What might happen within a healthcare organization to make them start thinking about augmenting their team?
Bowen: There are several reasons to think about augmenting a team. It could be a business case that compels you to do something more innovative. It could be a merger or acquisition. Maybe an organization needs to consolidate from a physical data center and move to the cloud to save costs. Maybe it is because a leader in the organization has moved to another organization and taken with him or her some of the internal expertise. Maybe it is a combination of all that. Maybe it’s just a doctor saying, ‘why can’t you do this faster?’
Q: What are some of the day-to-day activities that can inhibit an IT team from focusing on core competencies like innovation, maintaining a competitive edge, and improving the patient experience?
Bowen: As an IT team member, If I don’t spend my time hardening operating systems every time they come out with an update from CIS…
If I don’t have to manage my security groups in a way that can be manually intensive…
If I don’t have to patch every Tuesday that Microsoft comes out with some kind of issue to fix…
If I don’t have to do all that—if that can happen for me—then it allows me to spend my time doing other things like enhancing my data model, making sure that I can service the requirements that my own customers have of me. If I don’t have to spend my time ‘blocking and tackling,’ doing some of the basics around privacy, security, and compliance within my infrastructure and my services that support that, then I can work on my application side and enhance that and make it better. It comes back to servicing the patients, fulfilling the mission, and allowing me to bring to market innovative technologies that solve healthcare problems.
Q: What are some signs that it’s time to refocus your internal resources back to your core competencies?
Bowen: Typically, it’s around the skills of the internal team. If I am a payer that wants to better engage my members, I need to do something radical and bold—maybe it’s using a new service. In order to enable that, looking internally can be a challenge because you’ve had resources aligned with traditional data initiatives or with traditional infrastructure, technology, or security initiatives. (This could happen in every kind of organization in healthcare by the way, not only payers.) We’ve seen the biggest of the big go through this, and what they’ve learned is there needs to be some sort of infusion of expertise in order to succeed. Companies are typically able to invest in those resources—bringing in third party experts—and of course they want to make sure they utilize their people where they can, but it’s frequently the case that they just don’t have the expertise to be able to achieve what they need to in a way that gets them to market fast enough.
Q: Do you think this is more of a challenge than it was in the past?
Bowen: I think so. This year alone has been one of the highest number of breaches on record for healthcare. If you think about it from the perspective of a healthcare organization, there’s a lot to learn. They have to figure out: ‘How do I use artificial intelligence? How do I leverage machine learning? How do I leverage containers and serverless technologies? How do I make sure my storage is locked down and that logs are flowing proper? How do I bring all of these tools together in a way that gives me a smaller risk profile? Many times an IT team does not don’t know how to do all that, plus service patients, members, bring that new device to market.
If my focus should be on solving healthcare problems, why would I as an organization spend my time trying to figure out how to manage vulnerabilities when I can use the automation of a partner to manage that for me?
Q: Do you think the cloud is part of the solution?
Bowen: Absolutely. But the cloud journey is a shared one. There are certain things that a customer has to do and a lot of things that the cloud provider has to do. Many times, the shared journey gives the customer the ability to outsource or leverage the cloud provider and offload some responsibilities. What we have seen is that certain segments within healthcare have done a lot more adopting of cloud compliance automation and risk remediation automation. There are many within healthcare that are really good at cloud, and then there are those that are just now starting to dip their toes into the cloud and really need some help in how to get there.
Q: Why is it a good idea to consider leveraging the skills of a third-party partner like a cloud services provider?
Bowen: Thinking as a business or IT leader in any healthcare organization, it would go back to looking at the knowledge and bandwidth of my team. Does my team have the time to dedicate to learning every HIPAA eligible cloud service, creating the reference architecture, updating the tooling around service updates, etc., versus what the business imperatives are that our organization has to accomplish?
As a business leader, my job is to help my organization accomplish our mission. In healthcare, typically that mission is to solve or address some kind of significant healthcare challenge. If I can leverage a third–party company or a provider that already does a lot of the blocking and tackling for me that I mentioned previously, then I can focus on my core mission and core competencies. It’s truly that simple. Once I’m freed up to focus on the mission, I can use my scarce resources to work toward solving the cancer problem, the Alzheimer’s problem, or figuring out a way to keep patients on their rehabilitation plan, for example. I can find time to develop a program that transports a patient to a doctor’s appointment using Lyft or Uber. I can figure out a way to help people eat healthier to help prevent chronic conditions and the costs associated with those conditions.
In that role as a business or IT leader at a payer, provider, healthcare IT, or life sciences organization, my job isn’t to leverage and become an IT expert on cloud compliance and security; my job is to fulfill the mission of my organization. As a leader, the way I can best do that is by using my resources in the most effective way.
Q: Would you say enhanced security is a benefit?
Bowen: Absolutely. I would bucket that into the blocking and tackling referenced earlier that can eat through any healthcare organization’s time, resources, and personnel. What are the table stakes? How do I protect my data? How do I know where the data is? How do I prevent my data from suddenly being copied over to a region in France when it’s not supposed to be outside of Hong Kong, for example? You can now move data across the globe with a couple of clicks. How do you stay safe? When you’re asking these questions all day long, you aren’t left with the time to innovate and address the healthcare challenges in front of you.
Q: Are there any financial benefits to augmenting your team?
Bowen: Yes, there definitely can be. For many of the organizations I work with, augmentation of their team has translated to faster time to market. If I have some kind of innovation that I need to deploy to capture market share or to get more patients, then I’m going to leverage somebody who can get me there faster. If I want to be more agile and go faster, then I’ll do that. If I want to do it in a more secure manner or if I want to offload some risk, I’ll use a partner. If I want to leverage an OpEx model versus a CapEx model, then I’ll do that as well; maybe that helps my accounting and my budget scenario.
Q: For a strategic business leader looking to scale, what are some of the third-party services to consider?
Bowen: I would certainly say the management of your network, backups, and resilience can all be offloaded to cloud services; managing your redundancy can be automated. Now you can even use microservices and tracing tools to trace your data throughout its journey within a Kubernetes environment, for example. You can better track your data flows and your data sprawl—all in an effort to remove yourself from some of the blocking and tackling and really going out there and building a strategy to make your patients’ and members’ lives better. And let’s not forget that HIPAA Security Rule requirement around system activity reviews. Leveraging a third party to watch your logs for any anomalies 24×7 is a huge resource drain. Why not leverage a third party designed to do just that?
Q: Would you say there are any drawbacks to working with a third-party partner?
Bowen: I think it depends on the partner. Like so many things in life, it’s about due diligence. If you have someone who is focused on some proprietary way to do things instead of abstracting and using multi-cloud approaches, you may want to reevaluate that. There are a lot of things to consider. How many incidents has the potential partner been responsible for reporting as a breach? What is their maturity level from a security and privacy perspective? How do they demonstrate that? With which organizations does the partner do business? Who are their investors? Will the partner be around for the long journey ahead? Are they HITRUST certified? That last question is a great starting question actually in any search for a third-party partner.
Q: How can a healthcare organization work with a third-party partner like a cloud service provider and still maintain their existing IT team?
Bowen: I’m glad you asked that question because sometimes a company will say to me, ‘I don’t want my people to be let go.’ What I tell them is bringing in the right third party can actually enhance your team’s skills.
Instead of having your employees focus on basic things like patching and [systems] hardening, teach them a new trade, teach them how to leverage the cloud for their own purposes in the organization.
Teach them about micro services, teach them about containers, teach them to be innovative within their organization. Then actually let them innovate instead of focusing them on commoditized tasks that can be done with certain automation. I would also say to use a partner that can help them learn and grow while it builds and protects your business.
Q: Any final words to healthcare organizations considering third-party support for cloud compliance or other cloud services?
Bowen: I like to think about it in terms of leveraging…it’s like borrowing muscle rather than lifting heavy things yourself. As a business leader, I am going to leverage the expertise of the cloud, and I am going to leverage the expertise of the billions of dollars that the cloud providers have invested in security automation, for example. I’m going to leverage the expertise of those who have built cloud systems in healthcare for years and years and years, who now are our high-level partners with the major cloud companies that have expertise in healthcare. I am going to leverage all of that, absolutely, if I’m a company that really wants to jump into the cloud in a way that propels me to the fulfillment of my mission.