It’s never good to get a call at 3 a.m. – especially one informing that systems are down. And yet, when it happened to Zach Lewis, CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis, his first thought was that the aging infrastructure was the culprit.
As it turned out, it was much worse.
What Lewis had actually woken up to was a LockBit ransomware attack; one that would consume days of all-hands troubleshooting, trigger calls to the FBI and the organization’s cyber insurer, and force a high-stakes negotiation over a $1.25 million ransom demand.
Zach Lewis
During a recent UnHack the Podcast episode, Lewis – who authored a book based on the ordeal – offered a glimpse into what a ransomware experience looks like from the inside, and how leaders and staff can prepare for the unexpected.
One of the most impactful (and terrifying) parts of the ordeal is that, for the first few days, nothing pointed to a security incident.
“We didn’t have a ransom note,” Lewis said. “We hadn’t heard any alerts or messages,” including from EDR and SIEM. “All indicators were that it was an IT problem.”
That, he pointed out, isn’t a failure of process, but rather, a reflection of how modern ransomware attacks unfold. The environment came back up after the initial troubleshooting push, then went down again.
In fact, red flags didn’t become apparent until Lewis and his network director got into the root of the ESXi hypervisor that managed the organization’s virtual machines. At that point, they noticed strange file extensions and a README file that’s “not typically there.” Upon opening it, they found the ransom note.
Another compelling aspect of UHSP’s experience is that the organization wasn’t unprepared – quite the contrary. In fact, the cybersecurity program had scored at an A-minus level by external attestation. His team held briefings with the board, established connections with CISA and the FBI, secured cyberinsurance, and conducted tabletop exercises.
And yet, LockBit got in through a gap created during a firewall migration.
According to Lewis, the organization had moved configurations across three successive firewalls. Somewhere between the second and third transfer, a VPN access control was lost. It looked correct on the surface and was labeled the same way it had always been, but the limitations on who could connect to VPN was blank, meaning anyone in the environment could connect.
“It’s funny how just a couple things have to line up at just the right time,” he noted. “If we had checked a config a little bit closer, if we had done this one thing with VPN, we would’ve broken the kill chain, and the whole thing would fall apart.”
It's the kind of gap that doesn’t surface on a scorecard or a point-in-time assessment. The lesson? Finish projects completely before moving to the next one. "Just take a minute and review your configs,” he said. “Did things get set up right? Are they properly installed? That would’ve saved us a lot of headaches.”
When the ransom note appeared, LockBit claimed to have 75 gigabytes of UHSP data and was demanding $1.25 million for its return and deletion. What followed was a negotiation that Lewis described as one of the most important variables in the organization’s outcome.
A key strategy? Buying time. Negotiators were able to do that by asking for file listings, requesting samples of the exfiltrated data, and keeping the conversation flowing for as long as possible, which in turn provided more time to assess the actual risks.
The downside is that as the negotiation stretched on, LockBit’s claimed data volume kept growing, from 75 gigs up to approximately 380 gigs, which raised immediate questions. “We have no idea where that number came from,” Lewis said. “We don’t just have that sitting anywhere.”
When the organization ultimately declined to pay and LockBit dropped the data at the deadline, the actual volume was two and a half gigabytes. The file listings that LockBit shared during negotiations turned out to be the full extent of what they held.
“They were bluffing the whole time,” he remarked. Although the files contained some possible FERPA data, there was nothing of significant sensitivity, particularly from a HIPAA standpoint.
This outcome, however, isn’t necessarily a typical one. “Another company could have done that and it could be two gigs of sensitive research information or government information,” which would likely prompt a payment. “It really depends on your situation and your leadership team and what you think is in that data.”
Throughout the conversation, Lewis returned to a theme that still catches many executives off guard: ransomware groups like LockBit don’t operate out of basements. They operate out of office buildings.
“People literally come in and they clock in, they clock out,” he said. “They have benefits. They have quotas of how many companies they need to attack in a month.”
LockBit, for instance, develops and licenses its malware to customers who execute attacks and share portions of ransomware earnings. It functions, Lewis observed, like a franchise model in which leadership, HR functions, technical development, and quota structures are all present.
It’s a model that isn’t easily broken, he said, noting that LockBit didn’t dissolve after its public-facing sites were taken down by the FBI. Instead, it dispersed, regrouped, and began reconstituting itself by pulling together affiliates from other disbanded ransomware operations. “There are no extradition rules,” he said. “They stay in the wind.” And the underlying infrastructure – which includes server farms housed in buildings overseas, outside the reach of U.S. law enforcement – moves with them.
Leaders, therefore, must be laser-focused on trying to prevent attacks, while also being equipped to act decisively if they do happen.
“You have to stay focused on the task at hand,” and be willing to forego sleep while guiding teams through the darkest hours. Doing so isn’t easy – for Lewis, it meant spending time away from his wife and two young children. But by putting in the extra time, he was able to help his team weather the storm, and position themselves better for the future.
For UHSP, the incident did that by uncovering gaps in data governance. For instance, during the negotiation, leaders couldn’t answer questions about what exactly LockBit had, where it came from, and how sensitive it was.
That ambiguity drove a multi-year data governance initiative that is still underway. Files are now classified, documented, and tracked, according to Lewis, and data security posture management tools flag files containing HIPAA data, credit card information, and other sensitive categories. As a result, the response team can answer questions definitively and quickly if exfiltration happens again.
The university also hardened its identity and access posture, moving toward passwordless authentication and biometrics where possible, and tightened controls around browser-based access to SaaS applications, where most of its data now lives.
“We found out where our weak points were during the incident,” he noted, and were able to “get down and understand our data at a deeper level.”
And hopefully, be able to respond even more effectively going forward.
Zach Lewis is CIO and CISO at the University of Health Sciences and Pharmacy in St. Louis, and author of Locked Up: Cybersecurity Threat Mitigation Lessons from A Real-World LockBit Ransomware Response.
There’s no question that artificial intelligence is transforming healthcare. Few strategic discussions happen without it being mentioned (or more realistically, dominating the conversation). And yet, despite the overwhelming interest in AI across clinical, operational, and administrative domains, one key area is being neglected: governance.
It’s a gap that must be filled if organizations want to fully reap the benefits of the technology, according to James McCabe, MD (CMIO, Jefferson Health), Benjamin Hohmuth, MD (CMIO, Geisinger) and Kristin Myers (Chief Digital Officer, Northwell Health). During a recent webinar (which was sponsored by Abridge), the panelists shared perspectives on what it takes to build governance structures that can scale, manage executive expectations, and measure ROI in a world of soft-dollar savings.
For all three leaders, the prospect of overseeing AI governance has become a challenge given the level of enthusiasm with which healthcare executives are leaning into the technology. For instance, Jefferson’s executive team has set a target to save 10 million hours of clinician time over three years, McCabe noted. Similarly, AI has been framed as a strategic imperative at Northwell tied directly to patient experience, clinical operations, and operational efficiency, while Geisinger’s CEO views the technology as critical to the health system’s long-term viability.
James McCabe, MD
But enthusiasm and execution are different things. “This has come at light speed through a fire hose, and there’s an over assumption of the magic that’s available,” said McCabe.
His team’s response has been to shift the language. “We’re trying to shift the narrative from magic to more augmentation,” always leading with a problem-first approach. “Rather than what can AI do for us, we ask, what problem are you trying to solve?”
Hohmuth concurred, noting that he constantly pushes back on the concept of AI as peanut butter that can be spread broadly over undefined issues. Instead, his team focuses on specific use cases, one of which is analyzing Geisinger's cardiology referral queue to prioritize patient needs.
The next step is to establish a solid foundation, taking into account key factors such as culture and existing processes.
At Geisinger, Hohmuth has woven AI governance into the existing intake infrastructure rather than building a parallel system. Requests, which come through ServiceNow, are filtered based on possibility for an AI component; analyzed for potential benefits and risks; and tiered accordingly. “If it’s low risk – and a little more than half of them are – it’s pretty light touch,” he explained. Higher-risk use cases, particularly those involving patient-facing decisions or reduced human oversight, go through a more rigorous evaluation and require a defined monitoring plan.
Northwell has integrated AI review into its broader technology intake, but with two notable additions: a security and ethics group that brings together leaders from legal, compliance, cyber, and risk; and an executive committee that keeps the COO, CFO, and CHRO engaged at the strategic level.
Jefferson has built the most elaborate structure of the three. What began as an AI steering committee and an imaging AI committee has expanded into 10 subcommittees covering clinical AI, imaging, technical review, responsible AI and bias, KPI tracking, education, and community knowledge exchange, among others. “When a request comes in, we make sure it makes sense to whatever service line is interested and that there’s enterprise agreement that we should take a look at this,” McCabe said. Only after clearing that multi-committee process does a request move to the PMO for implementation.
Benjamin Hohmuth, MD
What comes next – monitoring and maintaining – is one of the most challenging aspects, according to Hohmuth.
“The tools we have to govern and monitor are lagging behind the tools we have in use,” he noted. And while that may be acceptable for the time-being, it isn’t sustainable over time, and can’t be scaled successfully without involving humans. “We need to get to a point where technology is doing the audit, and we need to get more help from our vendors.”
Epic has earned relatively high marks from all three for transparency and built-in monitoring dashboards. At Jefferson, McCabe’s team tracks ambient speech outcomes through Epic Signal data, monitoring time in notes, pajama time, and even Press Ganey scores tied to CSN numbers. In doing so, “we found a significant jump in patient experience,” he said. “When we’re using ambient speech with a patient, we’re able to look at them face to face.”
What has proven more challenging, not surprisingly, is demonstrating a hard-dollar ROI. Revenue cycle remains the clearest path through capabilities like denials management, coding assistance, and HCC capture, the leaders stated. But for the growing category of AI tools aimed at clinician experience and administrative burden reduction, the ROI conversation is more nuanced.
When Geisinger rolled out ambient documentation, the principle KPI wasn’t financial, which was a deliberate decision. “Our strategy around a lot of these tools that are aimed at wellness and decreasing cognitive burden is that we have to do that,” Hohmuth said. “We have to make it easier for doctors and nurses to take care of patients.”
Critically, the health system has kept productivity expectations separate from the experience benefit. “We’ve said very specifically we don’t want it to be a quid pro quo where, hey, you can have this tool if you see two more patients.”
Kristin Myers
At Northwell, Myers has brought finance into the ROI evaluation process directly, requiring that any measures presented to the executive committee be pre-vetted by the CFO’s office. Even so, some tools have achieved a different kind of status. “From even our CFO’s perspective, they’ll say, look, ambient is now just a foundational technology, and if we don’t implement that, we’re not being competitive.”
Hohmuth offered one practical strategy for navigating the hard-versus-soft ROI divide: piggybacking. When a use case with clear hard-dollar ROI, such as a revenue cycle AI tool, reaches the threshold where it tips the economics from à la carte to platform pricing, it can pull other experience-focused use cases along with it. “All of a sudden the financial barrier to implement some of those other non-hard-dollar use cases goes down,” he noted.
In terms of what’s next, all three leaders pointed to agentic AI as both the most promising development on the horizon and the most consequential governance challenge ahead. The tools currently in use – ambient documentation, clinical summarization, decision support – have managed to keep a human meaningfully in the loop.
That’s about to change.
For Hohmuth, the most exciting near-term opportunity is the aggregation of multiple information streams: what comes from a patient conversation, what lives in the chart, and what evidence-based guidelines say should happen next – all brought together into actionable clinical recommendations. “Synthesizing what comes from the conversation with what comes from the chart, informed by what we know about the patient and from society guidelines or other knowledge resources, into sort of next best actions – that’s something I’m really excited about.”
Myers sees patient access as an area that’s ripe for potential, whether it’s streamlining scheduling, personalizing care connections, or reducing the friction that prevents patients from getting to the right place at the right time. Just as impactful, however, is the promise of reducing the administrative burden. At Northwell, “our ambition is grounded in realistic value-driven transformation. We want to embed AI into the culture, strategy, and day-to-day operations that advance quality, access, and long-term sustainability,” she added. AI “can transform the way we operate, deliver care, and innovate as an organization.”
For healthcare leaders, ensuring staff are engaged and satisfied isn’t merely another item on the (ever-growing) checklist; it’s an urgent priority.
At least, that’s the case for Laurie Wheeler, who has served as COO of IS&T at MultiCare Health System since 2021, but has been with the Pacific Northwest-based organization since 1999. It’s the type of longevity rarely seen in healthcare, but one that she believes can become more common with the right culture in place.
Laurie Wheeler
“I love what I do; I love the people I work with every day,” she said. “I learn something new every day – and that’s what keeps people engaged.” During a recent Flourish episode, Wheeler spoke with Sarah Richardson about her approach to some of the biggest challenges facing healthcare, and the leadership attributes she believes will be critical going forward.
For Wheeler, engagement isn’t an annual event. It’s a daily practice that begins with getting out of the office and rounding.
The key is “talking to patients, talking to staff, and helping solve problems.” Oftentimes, the problems worth solving aren’t necessarily the major issues, but rather, the “pebbles in the shoe,” she noted. Solving what are often simple problems will “make their day.”
That philosophy extends to how on-call responsibilities are handled. Even a 2 a.m. call, she noted, can be a valuable listening opportunity, as it provides a chance to understand what’s actually happening on the ground, in real-time, as opposed to waiting for survey results.
When her team does receive those results, they tend to act quickly. For example, after an engagement survey uncovered frustrations around IT ticket transparency and navigation, they reached out to the chief nursing officer, assembled a group of clinical directors and pharmacy staff, and spent months conducting structured listening sessions.
The outcome? Her team made targeted changes to their ServiceNow environment – building out what Wheeler calls a “pizza tracker” so staff could see exactly where their requests stood at any given moment. By the time the next engagement survey came back, the issue had dropped off the list. “It definitely changed the outcome of the survey.”
It’s a structure that, fortunately, has remained in place.
A clinical super user group for Workday now includes roughly 30 volunteers from across the organization who meet regularly to share what they’re hearing in the field, and help the IS&T team stay ahead of issues.
That responsiveness to staff needs has become a critical aspect of leadership, noted Wheeler, who has cultivated a ‘give it to Laurie’ dynamic by being willing to tackle difficult tasks.
But that doesn’t mean she can fix every problem. “I’m the first to say, ‘I don’t know, but I can find out,’” she said. Doing so “makes folks that are newer to the organization feel safe to speak up if they don’t know. It puts a human side on you. But you always have to follow up.”
That combination of approachability paired with consistent delivery can build the type of trust bank that sustains teams through changes such as mergers, acquisitions, leadership transitions, and technology transformations. During these times, which can test even the strongest teams, it’s critical to be able to connect people to mission.
One way is by partnering with operations, she noted. “Whenever we can, we have them come into team meetings to tell safety stories and connect the dots. Always going back to the why.” Doing so can “really help lead through stressful times.”
It can also maintain high levels of engagement, which has become table stakes. “Healthcare is a tough place to be. You always want to make sure folks are there for the right reasons.”
And while those reasons vary, what seems to tip the scales for most individuals is being seen and feeling like they’re part of a community. “This is definitely not easy,” she said. “Being able to talk to your peers and your mentors is incredibly valuable.”
The ultimate goal for leaders is to leave behind a culture where asking for help is safe, where showing up with humility is valued, and where the mission never gets buried under the noise. Doing so, she believes, requires three core attributes: curiosity, humility, and flexibility. “It’s fascinating to watch the speed of healthcare technology. Being open to new ideas from anyone and being agile is going to be really critical.”
Finally, leaders must make it a point to show gratitude, particularly as staff are being asked to do more and more. “Whether it’s a thank you in the hallway or sending an email, showing your appreciation for others is something I do every day,” Wheeler said, emphasizing the importance of human connection. “You want to be seen in the organization as someone who is trusted, someone who is open. Because if you have this ego, you’re not going to get the feedback you need. And at the end of the day, it is not going to contribute to a successful outcome.”
One of the biggest challenges with innovation is getting past the buzzword aspect and exploring what it actually means for organizations – and more importantly, the foundation that must be in place to cultivate it. “It should not be confused with invention and creation of shiny objects,” said Chero Goswami, Chief Information and Digital Officer at Providence. “Innovation drives change. Innovation is very deliberate.”
In a recent 229 Podcast interview, he went so far as to say that “innovation without purpose is just another hobby.”
And not just purpose, but a solid strategy and foundation to support it. During the conversation, Goswami spoke with Bill Russell, Founder at CEO of This Week Health, about his team’s approach to innovation, their constantly evolving AI strategy, and how he is working to bring teams back together.
When it comes to innovation, the 52-hospital system has never lacked ambition, as several digital health entities have spun off from its venture capital arm. What Goswami brought to the role when he joined in 2025 was a framework for channeling that ambition into outcomes. The three components of that framework? Empathy, innovation, and impact.
Chero Goswami
“It starts with empathy,” he said, calling it the fabric on which healthcare is built. “The day we stop caring for patients in our thoughts when they're not in front of us – we should leave this industry.”
Innovation, he added, is already in Providence’s DNA, although it is most certainly a work in progress.
And finally, impact, which is measured not in statistics, but in people. "Sometimes we forget that behind each of those numbers is a name, a human being, a family. It does matter about outcomes,” he said. “We need to have business outcomes, not just technical outcomes."
That framework is already producing results. In the past year, Providence reduced patient wait times for new appointments by seven days – with a goal of getting below 25 days by the end of 2026, Goswami said, noting that a key factor in its success is a continued focus on change management.
“Without it, innovation becomes the lipstick on a pig,” he added. “It becomes successful for 60 days, and then as soon as the support system goes away, it crashes and burns.”
The same applies to AI initiatives, according to Goswami. His team’s approach – identifying a handful of high-priority projects and ensuring they can be scaled before moving on – has served them well.
Some of the use cases he’s excited about are AI-assisted in-basket management and ambient documentation. Others include imaging AI for early detection of pulmonary embolism and intracranial hemorrhage, which has driven measurable reductions in length of stay and adverse outcomes, and revenue cycle, which he considers to be a no-brainer. “If someone is not doing AI in claims, denial management, prior authorization – the question is why not? What kind of governance are you waiting for to come and tell you to do it?” he noted.
On ambient specifically, Goswami challenged the industry’s tendency to measure success purely through adoption rates, urging leaders to focus on all the benefits. “We have to keep improving on this to reduce the administrative burden on health systems.”
Underneath the AI conversation is a workforce question that doesn’t get enough serious attention: how do you build the next generation of health IT talent in an era of remote work? Like many CIOs and CIDOs, Goswami is concerned that the informal, hallway-level mentorship that shaped his own career is quietly disappearing. “Gone are the times where you can just walk down the hallway to a colleague and talk about it and learn a tip or trick,” he said. “I don't know if I would be here today if I had started my career during work from home.”
The solution, in his view, isn’t mandating in-person attendance by decree, but rather, making the case for culture. “Some things you can’t do remotely. That’s where tradition, culture, and habits change and prosper.” One method he is utilizing? Holding open coffee sessions in which staff are invited to address concerns or ask questions. “Meet people where they are, not where you are,” he emphasized.
And in healthcare, there’s no shortage of questions or challenges, largely because of its unique nature. “It’s an industry where none of your consumers want to come to you because they want to. They come to you because they need to.”
That reality, he noted, shapes so many factors, from how technology is designed, how change is managed, and how success is measured. Because the human element is so pervasive, leaders are under increased pressure to ensure the right infrastructure and the right pieces are in place–but it’s a burden he’s proud to help shoulder.
As CIOs and CIDOs, “we keep up with regulatory changes. We keep up with cyber issues,” Goswami said. Consequently, “we have actually reduced preventable harms. We’ve made patient care better – not just the quantity of years a person lives, but the quality of life.”
Moving forward, he hopes to see even bigger improvements. “If we can reduce the burden of accessibility and affordability together using technology, that, to me, would be our biggest win.”
There’s a question every CISO should ask before buying a single tool or hiring a single person – and most never do: What do you want to leave behind?
It’s the question that has guided Jack Kufahl for the past decade as CISO at Michigan Medicine, and it shapes everything from how he structures his team to how he evaluates vendors to how he thinks about vulnerability management. It’s also the question that Greg Garneau posed when he walked into Hospital Sisters Health System two years ago, tasked with building a program from the ground up. During a recent Unhack the Podcast, Kufahl and Garneau spoke with Drex DeFord about the credentials they value most in the hiring process, the keys to a strategic vendor relationship, and the flaw with vulnerability scanners.
Jack Kufahl
When Kufahl joined Michigan Medicine 10 years ago, he started to notice some patterns among his CISO peers: turnover was rampant, tenures were short, and when they left, either the program fell apart, or they took their best people with them. Being an inaugural CISO presented an opportunity to change the narrative, which meant taking a hard look at what was working, and what was not.
“Before you start buying stuff and hiring people, spare a few moments to think about what you are uniquely positioned for,” he said. “Vendors change, people come and go, bosses come and go, and department names change. I didn’t want to build something just to have whoever came in next say, ‘Well, that last guy didn’t know what he was doing, so we had to go back to square one.’”
It was a very different experience for Garneau, who came to HSHS following an incident and was tasked with building a “world-class cyber organization.” Fortunately, it came with full support from leadership, which was needed to turn a “rudderless ship” into an effectively-lead team. Two years later, the organization is in a far better place security-wise. “What we’ve accomplished is nothing short of extraordinary,” he said. “But it’s not done. You have to work with your partners in the business. You have to work with IT. But you also need the staff who want to support this mission.”
That’s where it gets complicated, according to Kufahl, who believes the problem isn’t a shortage of cybersecurity talent, but rather, how that talent is being channeled. “There are a lot of extraordinary people available, from both a behavior and a skillset point of view,” he said. “And if you try to take extraordinary people and then put them into ordinary containers, that will reduce the opportunity for variety.”
His strategy to look beyond the resume and focus more on disposition has led to the hiring of nontraditional candidates such as former hospital administrators, teachers, and professionals from the gaming and gambling industries. The commonality he looks for? Curiosity. “Cybersecurity is not fixed, which means we’re in a constant learning pattern,” he explained, adding that thirst for knowledge is paramount, particularly in a field marked by so much unpredictability. “That’s what keeps people.”
Greg Garneau
Garneau added that the opposite dynamic – placing smart people in unchallenging work – carries real costs. When smart people are in situations where they’re “just mailing it in and checking a box every day, the disengagement over time” can take a toll and prevent them from contributing to the organization.
To that end, both Garneau and Kufahl rotate staff across different areas of security, which has resulted in improved engagement. When leaders prioritize continued professional training, “everybody wins,” Kufahl noted. “The tools are used better, the talent is used better, and you’re a better boss for it.”
When it comes to vendor partnerships, engagement is also a critical component – much more so than the numbers on an invoice. “Some of our biggest bills are from some of our least strategic vendors,” he said. What he values most is “stakeholdership in how well our team is doing and how well their products are working.”
Kufahl described drawing a mental line through his OPEX ledger dividing vendors into two groups: those who are in the trenches with his team, and those with whom the arrangement is mostly transactional.
Garneau concurred, comparing relationships with the wrong vendors to dealing with used car salespeople. The right partners, by contrast, will invest in helping teams get better – not just at using the product, but at doing their jobs.
That upskilling component matters quite a bit, said Kufahl, citing data from the ISC2 Cybersecurity Workforce Study which found that one of the top drivers of burnout is not having enough time to learn the tools. True partners, he added, are working to close that gap. “More and more vendors are stepping up and saying, ‘Thank you for buying it, but we actually want you to use it better.’”
What doesn’t work, according to Kufahl, is vulnerability management. In fact, he called it “dumb” during discussion, adding, “It doesn’t work. There are too many vulnerabilities. It’s an exercise in integrating with your CMDB (Configuration Management Database).”
To be clear, he isn’t suggesting organizations should stop scanning. Instead, he advised letting the scanner assist with prioritization.
“Get a sticky note,” Kufahl noted. “Figure out how many hours and how many people you’re putting into vulnerability scanning. Then, be honest with yourself: how many of those people are actually pushing tickets and just trying to make the ticketing system work?” He also urged leaders to “start thinking about how you could redeploy that effort toward taking whatever the vulnerability scanner puts out and running it through a threat interface.”
The alternative is exposure management, a threat-driven model that focuses not on the CVSS score, but whether a vulnerability can be exploited in your environment, and whether threat actors are actively using it.
What organizations don’t want to do, noted Garneau, is “play whack-a-mole with the highest vulnerability,” he noted. “Are those really exploitable? Are they a KEV? Do they run at run-time? Those are the ones you go after.”
When teams are able to accomplish that, they’ll achieve benefits beyond security outcomes, he said, adding that when HSHS shifted to this model, the number of IT and security staff consumed by patching exercises dropped, freeing capacity for higher-value work.
It can also improve the dynamic with IT partners, which has been the case for Michigan Medicine. “Every time we’ve gone to another IT team with a threat – and we’ve explained our model – there has been zero friction,” he said. “More times than not, they come back and say, ‘we know it’s a problem, and we could really use your help.’”
His message to CISOs at any organization, regardless of size and resources, is to continue to advocate for threat intelligence. “Everybody should be looking at it. If you’ve got five dollars, put a dollar towards threat intel.”
Doing so will not only benefit the organization now, but also in the future, as it will help establish a culture of cybersecurity. “You don’t often get chances to shape the wet clay,” said Kufahl.
This is one he hopes the industry will continue to seize. “We’re all trying to figure this out.”
For a long time, there was a serious problem with IT – it didn’t “tell a patient’s story,” according to Michael Pfeffer, MD. “It was just a bunch of pre-generated text.”
Now, that’s no longer the case. Thanks to the tremendous effort that’s been put into place in recent years, “We’re able to capture the patient’s words in a more accurate way than we’ve ever done, and that’s incredibly exciting,” he said during a recent 229 Podcast interview.
At Stanford Health Care, where he serves as Chief Information and Digital Officer, clinicians are leveraging large language models (LLMs) to ensure they’re making “the best decisions for patients in real time, with the best evidence,” which is, put simply, “changing the game.”
In the interview, Pfeffer shared thoughts on how creating a sandbox environment has benefited both users and leaders, why he’s so excited about ChatEHR, and what it means to be “uniquely Stanford.”
Michael Pfeffer, MD
One of the most common misconceptions about AI is that it’s new to medicine; as both a CIO and a practicing physician, Pfeffer knows that isn’t the case. “We’ve always had some form of AI; we were predicting things and using rule-based intelligence,” he said. The difference? “Now we have a super-advanced version of AI with capabilities that let us challenge the way we do things in informatics.”
LLMs, which are used to summarize, categorize, and generate text and photos, can sort through “huge amounts” of both structured and unstructured data, “in ways we haven’t been able to before.” And, as demonstrated by the saturated vendor market, AI tools are more accessible than in previous years, enabling individuals to experiment by writing prompts and asking questions.
That curiosity is absolutely critical, according to Pfeffer. “When you’re having discussions around how to solve problems with AI, that’s transformative. That’s what makes it fun.”
And in fact, that thinking is a hallmark of what it means to be “uniquely Stanford” and create a culture of innovation that permeates through the organization. “It allows us to think big and move toward outcomes that can be taken and disseminated.”
That was the strategy Stanford employed soon after the launch of LLMs, creating a space in which staff could experiment with different models and learn how they work. For leaders, it offered a valuable glance into how models were being used, and a chance to customize and automate based on those findings.
In one case, SecureGPT (Stanford’s term for the sandbox) was being used to record mental health interactions and provide a transcription and summarization, which would have taken “hours and hours” to do without the help of a voice file. “It’s saving us so much time,” he said.
That capability to marry the clinical record with LLMs in an efficient way paved the way for ChatEHR, which went live in the fall of 2025. Its impact was felt almost immediately, as it helped physicians get to know patients through prompts, rather than trying to read through hundreds of notes.
“If you’re admitting a patient for the first time, it's really helpful to dive into the record and make sure you pick up all the details that you need,” said Pfeffer, who believes “ChatEHR can summarize the hospital course better than I’ve ever seen anybody do it. That’s exciting.”
Of course there are myriad security and privacy measures in place to safeguard data and ensure the correct record is being accessed. That, he noted, “significantly reduces the hallucinations. But we continue to monitor it. We continue to learn from what people are doing and how they think, and use that to develop AI-based automations and products that match those needs.”
How exactly does Stanford do that? One way is through MedHELM, a framework designed to decipher how LLMs are performing by soliciting user feedback. Importantly, it pulls from all records involving the patient, including HIEs, to provide a complete picture, and allows physicians to question trends. “It’s been amazing to see it in action and have people find things they maybe wouldn’t have found,” he said.
What’s just as exciting as having an EHR user interface is the ability to run sophisticated analyses, Pfeffer added. “Instead of just rules-based data, you can take a huge set of criteria and run it against the EHR data in real time, and produce output that you can then put back into the workflow.”
A practical use case? Leveraging ChatEHR to identify which patients are eligible to be transferred to another campus, a process that involves sifting through a huge amount of criteria. At Stanford, “we can take that criteria and run it against every patient in the ED, then flag the ones who are eligible, rather than having people do manual chart review,” he said. “That is not something we could do before.”
It is, however, something they plan to do in the future, as agentic AI is increasingly being used to alleviate the administrative burden, while also enabling physicians to spend more face time with patients. “That’s where we see a lot of value,” he said.
And what has made it possible is the groundwork Stanford has put into place, including a ‘Green Button’ that provides guidance for physicians in the absence of evidence-based guidelines by pulling data from the EHR. The first-of-its-kind initiative has been a huge satisfier for users and is currently being piloted in primary care facilities.
“It’s growing to become more automated and integrated,” said Pfeffer, who believes it holds tremendous potential. “I’m a huge advocate for technologies that provide evidence to make sure we’re doing the right thing every time for the patient. When you boil this down, that’s the only thing that matters.”
A few years ago, AI dethroned cloud as the biggest buzzword in healthcare IT, and it shows no signs of relinquishing the crown.
And as advanced AI continues to emerge as a strategic chip for leaders, Tanya Townsend believes it’s time for another term to reach ‘hype’ status: operational transformation. “We want to enable. We want to enhance. We want to continue to invest in AI and technologies, but we also have budget constraints because of all the headwinds happening,” she said. CIOs, she noted, are being asked to balance cost savings while managing inflation and growth, and still find ways to invest in the future.
During a recent 229 Podcast, Townsend, who serves as Chief Information and Digital Officer at Stanford Children’s Health, talked about the momentous task leaders face in “getting our arms around that,” the need to refine how organizations view ROI, and the success her team has seen with ambient listening.
Tanya Townsend
When Townsend arrived at Stanford in August 2023, she had already racked up two decades of experience in leadership roles (most recently as system SVP and CIO at LCMC Health). This, however, was her first foray into both the academic and pediatric worlds. “Every organization I’ve been part of has had a little bit of a different personality and culture,” she said. “My leadership style is to come in and observe.”
What she observed at Stanford was a “very mature” organization that had a solid foundation of technology and strong culture, and was positioned well for growth. Her team’s role was to determine how – and where – to pursue that growth.
“We’re live on Epic and we have several other tools that intersect or integrate with our digital front door,” Townsend noted. “But we found that the utilization and adoption weren’t where we wanted them to be.”
To that end, they’ve focused heavily on creating a standardized experience, particularly when it comes to digital engagement. “Nothing is more frustrating than when patients want to use the tool but there isn’t anything available to schedule,” she said. Their solution? To set realistic expectations with operations – and make sure they’re being communicated.
As a result, Stanford has seen a significant boost in online scheduling, with some areas increasing by 36 percent. They also saw a 20 percent spike in wait list acceptance, an increase in online bill payments, and a decrease in no-shows – driven largely by the use of real-time messaging.
Another critical move was the implementation of ambient listening, which yielded results almost immediately. “I didn’t expect it to explode as quickly as it did,” Townsend said. “It’s everything from clinicians getting home on time for supper, to reducing our use of scribes, which was significant. We’re improving our ability to close charts faster, which hopefully will lead to more revenue.”
What was critical, she noted, was the decision to start (somewhat) slowly by piloting ambient listening in a few select areas. When the results started coming in – and teams were able to show value – they rolled it out further, eventually encompassing all ambulatory sites.
“There are so many pieces and parts to it, but it’s really a fun story to tell,” she said.
What isn’t fun, however, is dealing with the perception of IT as a cost center – something that has plagued leaders for years. Her strategy? Face it head-on and create a new narrative. “The reality is that oftentimes IT departments are cost centers. And if you don’t get your arms around what’s involved in those costs, you forget about it, and then it looks like this big number just keeps increasing,” Townsend said.
By reassessing how they look at the budget, her team is hoping to uncover areas for potential savings; for example, reducing the use of scribes after implementing ambient listening. Leaders, she said, need to be thinking about how to capture those types of wins and show how it translates into ROI.
“How do we tell that story? That’s what we need to focus on,” she noted. “It’s also about reassessing staff structure. Do we have the right people? Do we have the right skill sets? Do we have them operating in the right place? And as we’re balancing all of this, we have to make sure we’re prioritizing.”
Part of that, she believes, is bucking what has become a common trend and taking the time to really evaluate an initiative before moving onto the next. “We have to get really good at telling our story,” Townsend noted. “We tend to just move on to the next project. And so, as we’re putting together our digital transformation strategies, I’m really focused on making sure each one has a goal, and that we’re holding ourselves accountable to tracking toward that goal.”
And while the ambient rollout “hit it out of the park,” that isn’t always the case, which makes it all the more critical to reflect on what went wrong and find ways to pivot going forward.
It’s a mindset that she feels will serve organizations well, particularly as advanced analytics continues to dominate the conversation. Although it has certainly shown potential to improve efficiency and boost satisfaction (among both patients and providers), it’s important not to put AI on a pedestal, she cautioned. “It’s just another tool in the toolbox. We shouldn’t think about it differently than other technologies that we need to assess, govern, and prioritize.”
And in fact, she believes leaders should apply a healthy amount of skepticism to AI, while simultaneously putting in place the necessary framework to enable success.
“On the clinical side, it’s going to get better and become more trustworthy, and it’s going to get there fast.” And on the patient-facing side, “it’s going to become an expectation of how we do business going forward. It’s here to stay,” Townsend concluded. “We have to embrace it and learn to use it in the best, most effective and safest way possible.”
Like many healthcare leaders, Shane Thielman makes it a point to attend user group meetings whenever possible, as he finds them to be extremely informative.
Almost too informative.
As a result, he usually comes back feeling “very excited and enthusiastic,” and at the same time, “drained,” he said in a recent 229 Podcast interview. “It’s so much information.” And as much as AI tools have become ingrained into healthcare and dominated strategic conversations in recent years, there are still significant gaps, according to Thielman.
“My fear with AI is that we don’t unlock the power and the potential because we fail to bring our workforce along in a way that they understand how to be successful working with it,” he noted. For that reason, Scripps Health – where he has served as CIO since 2019 – has made it a point to establish a strong business case for any initiative, and ensure steps are in place to build literacy and share knowledge. They’ve also adopted a stepwise approach with implementations, ensuring a solid foundation is in place before advancing to the next level.
Shane Thielman
“Our philosophy is that IT itself is not a strategy,” he noted. Rather, “IT should help enable the strategy, along with operations.”
During the interview, Thielman spoke about how Scripps is leveraging technology to improve the digital experience for both patients and staff, as well as their “methodical” approach to selecting and prioritizing initiatives.
It’s not a new concept; in fact, when Scripps initially began rolling out Epic in 2017-18, leadership opted for a phased implementation over the highly recommended big-bang strategy, and it turned out to be the right call. “I’m appreciative that we had the opportunity to deploy the way we did,” he said. “We took the lessons learned in the first deployment and applied those to the second and third in a way that made those successive rollouts much more palatable for the organization.”
Since that time, there has been a concerted effort to remain closely aligned with the foundation, ensuring that Scripps can “stay current and benefit from all the latest features, workflows, and code that’s available from Epic,” Thielman added.
With that core in place, his team is better positioned to determine which initiatives to move to the front of the queue.
One of those is the use of digital and virtual assets to improve the navigation process and reduce friction for patients. “A big part of our focus has been around appointment availability,” he noted. “We’ve been on a journey since our initial deployment to activate a lot of the self-service features, both through the portal and website.”
Although it may seem “very simplistic” to allow self-scheduling, it’s part of a larger strategy to empower patients and caregivers, which in turn can improve outcomes. “It’s about how we make ourselves accessible and available to patients and give them alternatives from the traditional phone call to the physician’s office or into a contact center,” Thielman stated, adding that around 40 percent of appointments can now be scheduled online.
And while the response from the community has been encouraging, Scripps still has a long way to go. “It’s going to become increasingly important to distinguish ourselves as a provider of choice, and that extends well beyond online scheduling,” he said. “It’s everything from enabling visibility into wait times in our EDs and urgent care centers, to being able to hold a place at our lab draw stations.”
That functionality has been extended to specialty and subspecialty areas where providers are in short supply, and will continue to expand, he said. “There’s unlimited potential for growth.”
Another area of focus? Operationalizing a command center to provide co-located services across all five hospital campuses. By automating support services like EVS and transport, Scripps has seen a decrease in the time between admission and bed placement. Providers are also able to monitor patients’ progression through their episode of care.
“We’re using the command center as a mechanism to leverage our human capital and talent differently,” Thielman said, while also thinking differently about “how we leverage our technology assets to be more effective and efficient.”
And while it certainly helps to show specific metrics such as improved length of stay, his team is more concerned with how initiatives translate to overall improvement. “We’re looking holistically across the episode of care at all of the white spaces where patients are waiting,” he said. “We have a high demand for our ED services and we need to be able to turn beds over efficiently. And so, anything we can do to attack that white space is critical. We can hardwire our performance standards and expectations. We can train to standard work and we can embed that within our digital footprint and provide feedback performance on a real-time basis.”
Another key step has been adopting a set of milestones around discharge that create visibility by alerting care teams of delays, and enabling them to see which activities are still pending. “That was our first step in addressing flow,” Thielman said.
The second was having physicians document information such as the expected date of discharge into the EHR. “The concept there is to help manage expectations and understand where we have variants,” he noted. “By understanding those outlier cases, we move closer to continuous improvement, and create awareness across the care team that can be built into our daily operation huddles.”
That same tried-and-true methodology has been applied to Scripps’ use of AI, particularly ambient documentation. Despite being early adopters of DAX, Thielman’s team has taken a stepwise approach, moving incrementally toward a more full-scale deployment. And while there isn’t a roadmap that can guide all organizations, he did recommend some steps that have proven effective, including the following:
These guidelines, he believes, helped build a strong foundation that will guide the organization as AI use expands beyond administrative tasks, eventually being leveraged to personalize patient care and inform diagnosis and treatment decision making. In order for that to happen, however, organizations need to remain laser-focused on solving the most pressing issues.
“What’s going to add the most value? What’s going to help move the needle for Scripps and for our patient community? That’s where we need to be,” said Thielman, who believes IT leaders have been given a tremendous opportunity. “I see this as a defining moment from an IT standpoint as to how we can further enable the organization, help improve workflows, quality, and patient/provider experience, but also identify ways in which we can use technology to reduce cost structure. ”
As healthcare organizations continue to prioritize digital transformation – and face the myriad challenges that come with it – there’s no shortage of opportunities to “move the dial.”
Perhaps the most glaring, however, is in patient scheduling. According to Deborah Muro, CIO at El Camino Health, noting that less than 20 percent of consumers are leveraging the capability – and that’s being generous.
“The retail industry would never accept that,” she said during a 229 Podcast interview. Neither does El Camino, which has always been on the cutting edge of technology. In fact, the California-based system was the first organization in the country to implement an EMR, developing a platform in conjunction with Lockheed Martin.
Deborah Muro
And so, when Muro joined the organization in 2014, she was excited to be part of a forward-thinking culture, and spent the next several years positioning El Camino for success in the digital era.
“We spent a lot of time doing what we needed to do for lifecycle management,” she said. “Now, we’re at a place where we’re innovating and transforming while we grow as an organization.”
One of those target areas? Patient experience, which is particularly critical in areas like Silicon Valley where expectations for tech-driven care are sky-high. To that end, her team is focused heavily on removing friction on the front-end. “We brought in scheduling technology that sits on top of the EMR and brings the consumer, wherever they are, to our website or scheduling tool,” and provides them with options based on their preferences, she noted. For example, an individual with back pain could go to urgent care, book an appointment with a primary care physician, or opt for a virtual visit. The goal is for El Camino to have already ironed out any insurance challenges, enabling the patient to focus on their care.
“One of our biggest goals is to deliver on patient experience,” Muro stated. “Retail is constantly bringing people into their products and their ecosystem. We have to do that in healthcare. We need to meet them where they are, personalize the experience, and guide them through their care journey.”
Of course, there are other objectives, many of which leverage AI capabilities to improve patient outcomes and reduce the administrative burden. One of the 30-plus use cases across El Camino is Deterioration Index AI, a class of machine learning models used to predict events such as cardiac arrest and identify patients at risk for falls. So far, they’ve seen “a decrease” in incidents, Muro noted.
In addition, the organization is leveraging AI in radiology to help prioritize image viewing and help uncover incidental findings – “things that wouldn’t have been seen by the human eye,” she said. What it means is that a chest X-ray that was ordered for one reason could surface other issues that AI can detect, such as a nodule or occluded vessel, which can set patients on the right treatment course.
As a result, El Camino has seen impressive adoption among radiologists. “They’re seeing the value,” Muro said.
It’s especially exciting for leadership, as adoption has been a major hurdle when it comes to AI implementation. “It’s the hardest part of the job for a CIO. You need to make sure you’re removing the roadblocks and understanding the pain points. That’s the real work we do.”
That work, she has found, requires a solid governance process. To that end, her team has created an AI steering committee composed of leaders from various departments. Once they’ve had a chance to assess risk and value, a decision is made on how and when to deploy it.
“There’s so much interest in AI throughout the organization,” she stated, noting that the next phase will likely include layering ChatGPT on top of the EMR “so that we can answer our own unique questions.”
Another factor that has weighed heavily in El Camino’s use of AI is interest among nursing leaders, who are “very engaged in decision making,” according to Muro, particularly when it comes to ambient listening. By having nurses work closely with vendors, they can more effectively determine readiness among users and optimize systems.
“We believe in the benefits of going from documentation to voice-to-text, and our goal is for it to become the decisive choice for nurses,” she said. “But it’s a challenge out of the gate and it has to be done well.”
It’s a concept she understands well, having spent time in nursing. Because of that experience, she was able to “approach conversations with empathy” upon stepping into the CIO role, and understand both the workflow challenges clinicians face, and the fact that technology doesn’t always meet those needs.
The best way to remedy that, she believes, is by rounding often – and keeping an “ear to the ground.” By doing so, she noted, “I see what patients are dealing with in the care that we provide, and it really grounds me in the work that I do.”
Importantly, she’s able to share those insights with her team and weave them into the strategy at El Camino, which will continue to move from reactive to proactive care models in the future. “Right now, we wait until a patient walks into the ED to treat them, and we don’t know what’s going to happen,” Muro said. “My goal is to move into a model where we know exactly what’s happening, and can even predict what type of patients will present in the ED.”
As with every initiative, it links back “to our vision and plan so that the work we’re doing is enabling the organization to be successful.”
Cleveland Clinic doesn’t always follow the typical path when it comes to selecting and implementing technologies, and ambient listening was no exception. Instead of zeroing in on one or two solutions, the IT team conducted five pilots over the course of six months.
In the end that patience paid off, said Sarah Hatchett, noting that it has gone live with more than 3,500 physicians to date. “We’re seeing great outcomes in terms of their experience with the tool, but also some revenue improvements as well. That’s been fantastic.”
By executing multiple pilots, her team was able to develop “a deep understanding” of what drives value, which, in their case, turned out to be the quality of the note. “That was the differentiator,” she noted. “That’s how we ended up selecting the product we did.”
Sarah Hatchett
It’s a perfect encapsulation of the deliberate, data-backed philosophy that guides decision-making at Cleveland Clinic, and has distinguished Hatchett as a top leader in the industry.
Recently, she spoke with This Week Health about how her team is managing the myriad challenges faced by healthcare organizations, from technical debt and prioritization to the constant waves of M&A and expansion. Hatchett, who has served in various capacities with the organization since 2017, also shared insights on the critical role CIOs play in educating teams on AI.
For Hatchett, one of the most appealing aspects of being with Cleveland Clinic is the “vision and mission” to deliver world-class care. Along with that, however, comes a “moral imperative to provide care wherever we can,” which can be daunting for CIOs.
“Each care setting represents a different set of technology needs, whether that’s through new affiliates or strategic partnerships,” which means leaders need to stay ahead of the innovation curve,” she noted. “We have to be out there understanding what are the best capabilities in the market, and what we can build and support to enable that in different care settings.”
And it’s not just brick and mortar expansion; health systems are increasingly seeking out strategic partnerships to strengthen their capabilities.
But regardless of the nature, growth of any kind requires a “highly reliable, stable, secure, always-on platform,” something she feels is often underappreciated. “That doesn’t come easy. There’s a ton of work that needs to happen.”
One of the key elements in ensuring a strong platform, according to Hatchett, is stewardship. “Whether you’re talking about capital and operating investments or prioritization of projects, I always have my eye on technical debt,” she noted. “Where do we have gaps? Where do we have challenges versus where we drive value for the business?”
This is where problem management plays a key role. And specifically, ensuring issues are addressed quickly and completely, and baked into resilience planning to prevent similar problems from occurring down the road. “It’s something we’ve built a lot of discipline into,” she noted.
That bleeds into another key area of focus for CIOs – particularly those at large organizations: striking the right balance between demand and capacity. It starts with accepting the idea that demand is always going to exceed capacity, at least to some extent, Hatchett said. Therefore, “it’s up to us to prioritize our portfolio and make sure we’re working on the right things to support our business decisions.”
It’s also understanding that if a request is made that will add significant value, leadership can increase capacity. The key is in being as transparent as possible, she noted. “That visibility and cultural understanding is so important, because if you’re on a technical team and you’re on the receiving end, it can feel like this uphill battle that you’re never going to win. When in fact, we are indeed winning by being strategic and being intentional about the way we allocate resources.”
To achieve this goal, Cleveland Clinic is taking a few key measures, which she described below:
Another topic that has become a critical focus for Hatchett is AI – specifically, ensuring teams grasp the role that tools like ambient documentation will play in driving transformation. “AI is going to be part of our jobs going forward, whether it’s helping us to implement a point solution or whether it's becoming increasingly integrated into our enterprise applications. Everyone needs to identify AI as part of a new level of responsibilities in terms of education, understanding, and being able to operationalize these tools.”
And although Cleveland Clinic has an AI data science team tasked with “deep algorithms and forecasting, everyone needs to be able to understand and work with it,” especially when it’s embedded into workflows.
For CIOs and other leaders, it presents an opportunity for growth in their teams – provided they’re willing to invest time for learning and development, which includes training. The question, according to Hatchett, is “how do we actually put our money where our mouth is and not just say, ‘I expect you guys to be able to learn things,’ but to actually create space in the resource plan for that. I think it’s so important to let people know you mean it. Otherwise it can just feel like another expectation that’s hard to meet.”
That, of course, is the last thing leaders want to do. Instead, CIOs like Hatchett are focused on “making sure we continue to head down the right path, getting the best experience for our providers and our patients as well.”
© Copyright 2024 Health Lyrics All rights reserved
