Cleveland Clinic doesn’t always follow the typical path when it comes to selecting and implementing technologies, and ambient listening was no exception. Instead of zeroing in on one or two solutions, the IT team conducted five pilots over the course of six months.
In the end that patience paid off, said Sarah Hatchett, noting that it has gone live with more than 3,500 physicians to date. “We’re seeing great outcomes in terms of their experience with the tool, but also some revenue improvements as well. That’s been fantastic.”
By executing multiple pilots, her team was able to develop “a deep understanding” of what drives value, which, in their case, turned out to be the quality of the note. “That was the differentiator,” she noted. “That’s how we ended up selecting the product we did.”
Sarah Hatchett
It’s a perfect encapsulation of the deliberate, data-backed philosophy that guides decision-making at Cleveland Clinic, and has distinguished Hatchett as a top leader in the industry.
Recently, she spoke with This Week Health about how her team is managing the myriad challenges faced by healthcare organizations, from technical debt and prioritization to the constant waves of M&A and expansion. Hatchett, who has served in various capacities with the organization since 2017, also shared insights on the critical role CIOs play in educating teams on AI.
For Hatchett, one of the most appealing aspects of being with Cleveland Clinic is the “vision and mission” to deliver world-class care. Along with that, however, comes a “moral imperative to provide care wherever we can,” which can be daunting for CIOs.
“Each care setting represents a different set of technology needs, whether that’s through new affiliates or strategic partnerships,” which means leaders need to stay ahead of the innovation curve,” she noted. “We have to be out there understanding what are the best capabilities in the market, and what we can build and support to enable that in different care settings.”
And it’s not just brick and mortar expansion; health systems are increasingly seeking out strategic partnerships to strengthen their capabilities.
But regardless of the nature, growth of any kind requires a “highly reliable, stable, secure, always-on platform,” something she feels is often underappreciated. “That doesn’t come easy. There’s a ton of work that needs to happen.”
One of the key elements in ensuring a strong platform, according to Hatchett, is stewardship. “Whether you’re talking about capital and operating investments or prioritization of projects, I always have my eye on technical debt,” she noted. “Where do we have gaps? Where do we have challenges versus where we drive value for the business?”
This is where problem management plays a key role. And specifically, ensuring issues are addressed quickly and completely, and baked into resilience planning to prevent similar problems from occurring down the road. “It’s something we’ve built a lot of discipline into,” she noted.
That bleeds into another key area of focus for CIOs – particularly those at large organizations: striking the right balance between demand and capacity. It starts with accepting the idea that demand is always going to exceed capacity, at least to some extent, Hatchett said. Therefore, “it’s up to us to prioritize our portfolio and make sure we’re working on the right things to support our business decisions.”
It’s also understanding that if a request is made that will add significant value, leadership can increase capacity. The key is in being as transparent as possible, she noted. “That visibility and cultural understanding is so important, because if you’re on a technical team and you’re on the receiving end, it can feel like this uphill battle that you’re never going to win. When in fact, we are indeed winning by being strategic and being intentional about the way we allocate resources.”
To achieve this goal, Cleveland Clinic is taking a few key measures, which she described below:
Another topic that has become a critical focus for Hatchett is AI – specifically, ensuring teams grasp the role that tools like ambient documentation will play in driving transformation. “AI is going to be part of our jobs going forward, whether it’s helping us to implement a point solution or whether it's becoming increasingly integrated into our enterprise applications. Everyone needs to identify AI as part of a new level of responsibilities in terms of education, understanding, and being able to operationalize these tools.”
And although Cleveland Clinic has an AI data science team tasked with “deep algorithms and forecasting, everyone needs to be able to understand and work with it,” especially when it’s embedded into workflows.
For CIOs and other leaders, it presents an opportunity for growth in their teams – provided they’re willing to invest time for learning and development, which includes training. The question, according to Hatchett, is “how do we actually put our money where our mouth is and not just say, ‘I expect you guys to be able to learn things,’ but to actually create space in the resource plan for that. I think it’s so important to let people know you mean it. Otherwise it can just feel like another expectation that’s hard to meet.”
That, of course, is the last thing leaders want to do. Instead, CIOs like Hatchett are focused on “making sure we continue to head down the right path, getting the best experience for our providers and our patients as well.”
When Anahi Santiago took the helm as CISO at ChristianaCare back in 2015, her first priority was to schedule meetings with executive leaders and pose a few simple but critical questions: What’s important to you? What keeps you up at night? And what are your priorities?
Doing so helped her “understand how to align my cybersecurity program with the organization,” she said. It also helped further establish a culture of cybersecurity, which continues to be one of ChristianaCare’s core values more than decade later. “If you put the patient first, you can overcome many of the challenges we’re experiencing.”
Recently, Santiago spoke with Bill Russell about those challenges – which continue to mount for IT and cybersecurity leaders – and the strategies her team is leveraging to manage them.
Anahi Santiago
As is often the case with CISOs, Santiago didn’t start her career in healthcare. And while the experience she gained as a technology architect and project manager certainly helped build her skillset, it didn’t necessarily prepare her for the very “open nature” of healthcare. “You have patients walking on the floors, you have mobile carts with computers in the hallways, and you have nursing stations with 12 people working in the same space,” she said. “It’s very difficult to coral that and implement sound security when the dynamics are so fluid.”
Further compounding the situation is the presence of biomedical devices, particularly when certification cycles for government agencies don’t line up with those of the operating systems. “Because they’re FDA-certified, it’s not like a regular Windows device where if it gets infected, we either throw it out and install a new one or wipe it clean and restore for backup,” she explained. For that reason, close collaboration between biomedical and IT departments has become critical to effectively manage risk throughout the device lifecycle and ensure adherence to regulations and guidelines.
Part of that risk management entails conducting tabletop exercises, which should be done in conjunction with the device vendor to “coordinate all of the recovery processes,” Santiago noted – especially for a system as large and complex as ChristianaCare. “Of the 90,000 IP addresses that are connected to our network, 70,000 are medical devices,” she said. If a breach occurred, “the recovery time to get our hospital back up and running would feel untenable. But in reality, that’s how challenging it is in the face of a massive cyber attack.”
This isn’t news for cybersecurity and IT teams, which tend to understand the criticality of tabletop exercises and other drills. Other departments, on the other hand, aren’t always as prepared. “We have good downtown procedures for a few hours, maybe a day, but not for four to six weeks,” she said. And so, for a recent tabletop exercise, “we brought in people from home health, emergency areas, lab, radiology, and operational people that needed to exercise how they were going to work without technology.”
And they didn’t stop there. Earlier this year, CISA led a tabletop for ChristianaCare in which representatives from 13 state, local, and federal agencies – including the National Guard and Departments of Health – shared information about how to divert and transfer patients, and stand up makeshift hospitals.
“The participation of those agencies in helping us to understand how we could leverage them was immensely valuable,” Santiago said. “I would encourage everyone to include your local agencies in your tabletop exercises. In the 20 years that I’ve been doing this, I learned more from that than I had from any other exercise.”
Another key step for her team is the creation of an operational resiliency steering committee to ensure operations continue in the event of an attack. Importantly, it’s composed of executive leaders from across the organization, including finance, compliance, materials management, and public safety, among others.
Although it’s a “huge lift” that requires an enterprise-wide commitment, it’s one she’s happy to lead. “It’s a really critical need because it’s not ‘if,’ but ‘when,’ and when it does happen, it’s going to be weeks, not days.”
And it’s going to affect patient care, whether it’s canceled surgeries, increased medical errors, malfunctioning devices, or delayed authorization for life-saving treatments. “If we don’t do our jobs well – or even if we do our jobs really well, but the threat actors happen to just get it right that one time – we could impact care,” Santiago said.
On the other hand, CISOs and other leaders have an opportunity to “truly align cybersecurity to patient safety” by collaborating with stakeholders across the organization. “We’re experiencing huge challenges right now when it comes to margins and when it comes to uncertainty,” she noted. “But if we have the right culture and we have difficult conversations that allow us to overcome them, then I think we can get over the mountains that are in front of us.”
Spencer Dorn isn’t a technophobe – far from it. As Vice Chair and Professor of Medicine at UNC Health (and a practicing gastroenterologist), he has a vested interest in “how technology is reshaping our lives and reshaping medicine.”
What does not interest him is the increasingly prevalent concept of AI, or any technology for that matter, as a panacea for everything that’s wrong with healthcare.
One example? Integrating AI tools within the EMR to improve email management, which has been touted as a game-changer. “The in-basket is not the only reason why doctors are unhappy,” he noted. “There may be many reasons. We need to be careful and not oversimplify problems and suggest tools that will magically fix things immediately. We need to keep our feet on the ground.”
Spencer Dorn, MD
Doing so, however, isn’t easy – particularly for healthcare leaders who are inundated with use cases for tools that can help alleviate burnout and improve patient care. During a recent 229 Podcast with Bill Russell, Dorn spoke candidly about his concerns around advanced analytics, particularly when it comes to care coordination and output reliability, and the need to temper expectations.
During the conversation, Dorn recalled a tense moment during which a patient’s oxygen saturation level dropped significantly during a colonoscopy, prompting he and his anesthesiologist colleague to abort the procedure and quickly pivot, which helped save the patient’s life. The primary takeaway? The efforts put in by frontline workers go far beyond leveraging technology, he said, noting in a LinkedIn post that “it’s foolish to imagine automating their roles away.” Because while AI can certainly “make knowledge abundant, it cannot yet reliably manage risk or coordinate action under pressure,” especially in clinical situations.
“AI can’t do everything,” Dorn said. “It can unbundle knowledge from experts, but healthcare isn’t just about providing knowledge; it’s about coordinating care. And it’s about accepting risk when things go wrong.”
The ability to “unbundle” and help summarize information is significant and shouldn’t be overlooked. “There’s a reason why AI scribes have proliferated healthcare and pretty much every health system in America now has chosen a scribe to partner with,” he stated. “People often have very long and complicated medical records. And so, if you’re looking for a nugget or a few nuggets, reading through the whole thing to find them can be quite laborious.”
AI-powered platforms like OpenEvidence, for instance, can assist in clinical decision making by aggregating information from trusted sources like NEJM and JAMA and present knowledge at the point of care. In that respect, “AI can make physicians’ work easier,” he noted. “We’re already seeing that with a lot of tools.”
On the other hand, having access to so much information can be overwhelming, according to Dorn, who equated it to the alert fatigue that can be brought on by clinical decision support tools. And while it can be beneficial to point out potential “blindspots,” sometimes the information isn’t applicable to the situation at hand.
What it can also do, he said, is “flip the script” so that AI is producing the work and physicians take on more of a reviewer or editor role. “That can create a lot of challenges.”
The other point of caution with AI is the reliability of the output. “It’s not perfect, and so, when you start applying it to high-stake situations, it’s tough,” Dorn stated. The problem is that the information is right enough of the time, which makes it “very convincing.” In fact, he believes “it would almost be easier if it was consistently wrong, because then you ignore the messages,” or at least supervise them more carefully.
What that does is create a situation in which users don’t know if they should rubber-stamp the information or question it. “That’s real tension,” he said. “We need to think more broadly about how we work and not assume that these tools are going to make us better. In some ways they can, but only if we apply them to the right places in a thoughtful way.”
When it comes to AI scribes, a similar tension exists. Although some physicians have reported reductions in “pajama time,” the data doesn’t necessarily support that, according to Dorn. “If you look at the large studies that have been published, AI scribes have only saved about a minute, or even less, per patient.” And while that can make a dent, it’s not the time of impact he wants to see.
The more significant benefit, he believes, is in the capability to summarize data, particularly for specialists who spend a lot of time preparing for patient visits, especially the initial consult. “I’m more excited about that than anything else, because summarization applies to all healthcare roles, whether you’re a physician, administrator, or any other role,” he said. “I do think we’ll see some improvements in pajama time,” along with a boost in morale.
But does that justify the extremely high valuations of AI scribe vendors? Dorn isn’t quite sold. “I think these tools are amazing, but we have to temper our expectations with all technology in terms of what they can accomplish,” he said, while also avoiding the “polar extremes” that often surface with new innovations. “We need to be careful,” he said, and realize that AI is neither going to save nor sink healthcare on its own.
“These technologies offer some amazing capabilities, and if we use them the right way, I see tremendous potential,” he concluded. “But if we expect too much too soon, we’re setting ourselves up for failure.
Information security, like so many components of healthcare, has seen quite a shift in recent years, with the focus evolving from “how do we keep threat actors out, to how do we manage systemic risk related to technology,” according to Sahan Fernando.
For CISOs, that means not just being up-to-date on the latest threats, which are constantly changing. It also means being able to communicate the importance of implementing security measures – and the consequences of failing to do so.
“Availability is core for us as providers,” he said. “If we can’t provide that, that’s a risk that really bothers me.”
During a recent Unhack the Podcast, Fernando spoke about the philosophy that he has adopted at Rady Children’s, breaking down how his team is addressing some of the most pressing challenges for CISOs and other leaders.
Sahan Fernando
The ability to safely and security share patient information is important across healthcare, but for pediatric organizations, the stakes are higher. “The community aspect is so critical in our sector,” he said. “At the end of the day, we’re not competitors. We’re all in this together.”
Fortunately, Epic – the organization’s EHR vendor – has been pushing hard to advance portability, which is fraught with hurdles in pediatrics, especially when state lines are crossed and different regulations factor in.
“This is an active discussion topic among CISOs and privacy officers,” he noted. “How do we do this in a way that we're not violating another state’s laws?” Fortunately, more organizations are leveraging CareLink and similar strategies to facilitate care coordination and push for better outcomes. “We need to think about how we empower patients to have more agency over their data and records, and more ownership of their care plan. I see that as very empowering, and I hope that continues to play out.”
One of the sticking points that Rady – and countless other systems – has run into is data retention. Although his team has the option of rolling off data when patients turn 23, as per Epic’s policy, they’ve opted to hold onto it.
“We have a business records retention policy that is completely separate,” Fernando stated, adding that the email communications have separate guidelines. Complicating matters is the fact that a growing number of organizations are using AI-powered tools to create transcripts.
“There’s some risk there from a legal standpoint,” he added, particularly when it comes to unstructured locations like email and chats. “If you can’t prove that they didn’t go through, then all the records are considered in scope, and have to then be reported to OCR as breached.”
And that, according to Fernando, can escalate a situation quickly. “If you have a trauma coordinator who sent out a spreadsheet of 600 patients, that can add up very quickly over a few weeks.” In fact, it can incur as much damage as a ransomware attack in terms of lost revenue and other costs. “You could be talking about millions,” particularly when considering the costs of corrective actions and plans that would need to be deployed.
This is where meticulous planning can make a big difference. “If you’re doing drills and informing your stakeholders of potential risks and how you would manage them, it's less of a surprise,” he said. “You need to have alignment from the beginning on the what, why, and how.”
Some of the steps his team has taken? One is ensuring certain tasks are pre-authorized, which can help expedite the remediation process. And if critical conversations haven’t yet occurred, “you need to ensure you have the right people on the call to ensure everyone knows what you’re doing. What’s the impact and who do you need to speak with about how that cascades down in terms of the staff and patients,” he noted. “That’s a big part of the CISO role.”
In terms of mapping out procedures, teams need to know if and when they can move to downtime procedures and how patient care will be affected, as well as the process for contacting patients and family members. “There’s so much nuance there,” Fernando said, emphasizing the need to clearly communicate plans long before an incident occurs.
Given the uphill battle security teams are fighting, having a comprehensive, overly cautious strategy has become must. For example, while dwell times for bad actors have reduced following a breach, the impact they can have has increased, which is why his team will continue to up their game. “We have high-fidelity telemetry, alerts and detection controls in place,” such as forcing bad actors through high-visibility channels. “Through these stealthier tactics, we have more opportunities to reduce dwell time and impact,” he said. “That’s part of our philosophy – to make it harder for them to do the low-cost stealthy stuff, and easier for us to catch them.”
The reality, unfortunately, is that the bad actors will never quit. And so, while administrative controls can go a long way toward stopping the spread, it’s the technical controls that can make a true impact by preventing incidents. “We need to think about how we can ensure we’re putting up the right gates and moats and other defenses while letting the right stuff get through.”
Of course, it will never be a perfect science. But with patient lives at stake, perfection is a goal his team will continue to pursue. “With technology and security things are always changing, and so, you don't get to just sit complacently on certain things and say, ‘well, we solved that.’ There’s always a new challenge to address.”
And Fernando, like so many CISOs, wouldn’t have it any other way. “You can still be satisfied that you’ve done a good job with the resources allocated and still have that pursuit of perfection,” he said. “That’s part of the fun – how we make it as good as possible.”
There’s hardly a conversation that happens in healthcare without mention of Artificial Intelligence, and for good reason. Through capabilities like computer vision, ambient listening, and virtual nursing, AI holds a great deal of power, according to Matt Sullivan, MD.
“How we apply that power,” he believes, is “the secret sauce to making healthcare better, making our teams more efficient, and making people feel that it’s the best care we can deliver.”
At Advocate Health, where he serves as CMIO, advanced AI is being utilized for myriad functions, including monitoring patients and watching disease progression.
And that’s just the beginning.
During a recent 229 Podcast interview, Sullivan spoke about the challenges with scaling technology across an expansive system, the keys to obtaining buy-in, and the importance of knowing how to say ‘no’ the right way.
Matt Sullivan, MD
Like many healthcare organizations, Advocate has grown significantly in recent years through mergers and acquisitions, which means “a ton of our time is spent trying to figure out how to scale,” Sullivan noted.
It’s not just about consolidating multiple entities in an economically sustainable way – one that enables them to save on supply chain and contracting costs. It’s also about merging cultures that may share the same values but have different tactical approaches. For leaders, the question becomes, “What do you keep from one versus the other, and how do you bring them together so that the marriage of the two is effective?” he asked.
The answer? Positioning it as “a singular organization with a singular focus,” according to Sullivan, and making sure it comes from the top. “Our senior leadership has said, ‘these are the strategic drivers for Advocate Health. We’re not a holding company of disparate hospitals that do their own thing.”
That transition, of course, is never easy, particularly when it comes to executing on different strategic objectives, he noted. “But when you have that direction, it links everyone together and you can start to have those conversations and rewire ourselves in a way that helps drive outcomes.”
One of the key advantages of having that scale is the ability to invest in innovative tools like computer vision to monitor patients around the clock. And while some might prefer having a human being present, there simply aren’t enough nurses to accommodate every patient. With Artisight’s platform detecting movements and documenting them, it alleviates some of the pressure on nurses and caregivers, while still ensuring patients are cared for, he said.
“It’s the idea that someone else is watching that has knowledge of what should and shouldn’t be happening,” Sullivan noted. If that’s the case, a nurse is immediately notified, which has proven more effective than relying on a call button. “This is a much better situation. That’s why I’m so bullish,” he said. “Having that continued expertise at the bedside drives people to better outcomes. If we can embed that in every patient’s care across a large system, we really can change the game.”
And that’s just one avenue. Advocate is also leveraging Aidoc’s aiOS platform to embed AI algorithms into clinical imaging workflows, and has deployed Microsoft’s DAX to improve clinical documentation. “We’re starting to see that inflection point where the outcomes are getting better,” he said.
A critical factor in that, according to Sullivan, is the deliberate strategy Advocate has adopted when it comes to AI – not an easy feat when users (and sometimes executives) are clamoring for it. With so many solutions saturating the market, he believes it’s more important than ever for leaders to push back, in a respectful way.
“You have to be willing to say, ‘we haven’t looked at this one yet, and we’re not going to. Here’s why,’” he noted. “You need to be able to manage those conversations.” And that means clearly explaining why a solution isn’t the right fit, rather than just saying no. What also goes a long way? Taking the time to “have a few quick conversations to make sure everyone is in the same place,” he added. “Go back to that senior medical leader and say, ‘I will look at this if you want me to, but here are the reasons why I think it will be difficult for this to succeed in our environment. Tell me where I’m wrong.”
That healthy debate, according to Sullivan, will become increasingly vital as AI solutions take on a larger role in the delivery of care. “We want to get it to the point where nurses can walk around and do the things that bring you joy, and you aren’t constantly documenting on a device.”
And that, to his team, is truly the “secret sauce.”
Moving a large, complex organization to a single EHR instance is a monumental task. In a cash-strapped industry, figuring out ‘how’ to allocate the necessary resources can be vexing.
The ‘why,’ on the other hand, is pretty clear.
“Having one EHR platform is going to enable us to truly transform the experience for the patients, nurses, physicians, and everyone who uses our technology, and make it better,” said Chris Carmody.
He speaks from experience, as UPMC – where he serves as SVP of the IT Division and CTO – just completed the first wave of a major Epic rollout. And although his team is head-down with assessments and optimizations, while simultaneously preparing for the second round (scheduled for May 2026), they’re already seeing the excitement around having “a foundational system.”
Chris Carmody
It’s a massive transformation for UPMC, which hosted 10 main EHR systems and 7 patient portals prior to Epic, and continues to see more than 43 million ADT transactions per day. “To have that appear seamless across all of those systems and create simplification is going to propel us forward on adopting new technologies and pushing the envelope,” he said. “Because now, we don’t have to make changes in 10 different places. We can make the change once. We can expedite POCs on different technologies and deploy them at a large scale across our environments.”
And those are merely benefits from a technology standpoint. The more compelling objective is around improving patient experience. “Having that one-stop shopping is going to have a bigger impact on care and access. Patients can see whoever they need to see, at their convenience, instead of trying to navigate through different systems and processes.”
Setting up that one-stop shop, however, is a significant lift. And as leaders are learning, there isn’t a universal approach that can be applied across the board. Recently, Carmody spoke with Bill Russell about UPMC’s implementation journey, why it’s important to heed Epic’s advice while also carving your own path, and the “village” required to embark on a major change.
As most leaders know, Epic has a very specific blueprint for moving to a single platform; one of the core tenets is going big-bang with implementations. For an organization as large as UPMC – which includes 21 hospitals and hundreds of clinics – it wasn’t deemed to be the best option. “We’re totally aligned with Epic’s thought process, but we made some tweaks to the roadmap,” he recalled. “Every health system is different. We have different priorities and different communities and patients that we’re serving. And so, you have to be nimble and adjust to what works for you.”
What worked best, in their case, was a multi-phased rollout. Doing so, he reasoned, enabled his team to carefully observe the first wave and identify areas of improvement. “The go-live readiness assessment is a great opportunity to hear feedback directly from those on the front line who are going to have to adapt to the changes we’re bringing with a new system,” he said. “As we iterate on that and get better, hopefully we’ll have learnings that will make it even more effective.”
One lesson they’ve already learned is that embarking on a phased approach requires constant communication. “When you have multiple EHRs and portals, you’re going to have clinical and operational users accessing different systems depending upon who they’re seeing,” Carmody said. “That’s part of the challenge. That’s why communication is so critical.”
Another is the importance of preparation. As UPMC inched closer to the initial go-live, his team was laser-focused on “the details of crossing T’s and dotting I’s to mitigate all risks” and ensure that when the switch was flipped, “we have as smooth of a process as possible.” And while issues will inevitably arise, having solid processes established to manage them can make all the difference.
Not surprisingly, UPMC is leveraging some of the same philosophies with its approach to machine learning and AI technologies. Although Epic’s Art was included in the first wave, they’re also open to other offerings. “When we look at AI, we don’t want to reinvent the wheel,” Carmody said.
But that doesn’t mean they’re opposed to in-house development. In fact, his team has spent the past decade building algorithms around clinical and financial data – and the last 3-4 years re-platforming it into a virtual data layer.
The aim is to be able to minimize data replication, which becomes different with so many technologies coming together. This way, “we control access, but we can still present and aggregate it in a way that a clinical, operational, or financial user can get the insights they need,” he noted. The benefit of having the metadata is that “you can train some of these models and accelerate the process.”
Recently, UPMC launched a voice analytics model – called Vana – that will analyze call center recordings and incorporate natural language processing to develop better processes. “I’m excited to see how it influences operational efficiencies,” he said. “Ultimately, there’s going to be clinical data that we can pull out to better inform our longitudinal records.”
And while they may utilize Epic’s Cosmos dataset – particularly given the opportunity it presents in helping to treat rare diseases – he believes the decision to share data is one that each organization should face individually. “You have to train the model with your data. You have to make it applicable to your environment.”
What he appreciates about Epic, among other things, is the fact that they don’t try to “hard sell” solutions that an organization doesn’t want, or isn’t ready to adopt. Rather, his experience has been positive, which is critical. “They’ve demonstrated their commitment to UPMC, and most importantly, to our patients,” Carmody noted. “They get it. They know how we can transform patient care and improve it, and you see that in the interactions.”
What has also been crucial is Epic’s willingness to work through challenges. “They’ll fly to Pittsburgh and make sure that we overcome issues. It’s been a great journey,” he said. “I’m excited for our future.”
If inertia can be a challenging force in healthcare, one can only imagine the impact associated with “historical inertia.”
For many leaders, however, it’s a reality faced every day, particularly when it comes to tools and procedures that have been part of the vernacular for so long. Case in point? Flow sheets, according to Anika Gardenhire, Chief Digital and Transformation Officer at Ardent Health.
As with so many concepts, “there was a lot of really good intent” behind flow sheets, which were created to improve communication during shift changes and facilitate documentation. And for a while, they achieved that feat.
But with nurses increasingly experiencing burnout – and shortages looming, perhaps it’s time for a shift.
Anika Gardenhire
“We have an opportunity to think about how we can create a more holistic and supportive experience,” she noted. During a recent Town Hall interview, Gardenhire – a nurse by training – spoke with Reid Stephan (VP and CIO, St. Luke’s Health System) about the key challenges with nursing documentation, and the pivotal role that clinicians and EHR vendors can play in improving usability.
When it comes to patient care, the ultimate goal is to have “all of the specialties come together in concert,” she said. “And I genuinely believe in nursing as the coordinator of care.”
Nurses, she continued, are meant to “provide support and clarity of message across the specialties,” which makes sense, as they spend the most time with the patient, and can therefore “see them actively improve or decline over a period of time in a way that’s not inherent to the workflow of other disciplines and how they might interact with the patient.”
That narrative nurses provide plays a critical role in ensuring continued care for the patient – not just by presenting information, but doing so in a snapshot format, Gardenhire said. Initially, the transition to flow sheets made sense. However, as more boxes and dropdowns have been added, the process has become increasingly cumbersome, which has led to some hand-raising.
“It’s important to question which of these things are actual requirements, and how much of it is grounded in historical inertia,” she stated. “We need to come to the table and say, what is it we’re trying to do? If we want to make sure we can capture trends over time or make sure discrete data elements are there, is this the best way to do it?”
Determining that will be a multifaceted process, noted Gardenhire – one that should start by acknowledging that nursing is both an art and a science. “We spend a lot of time focused on figuring out how to capture the science that we might have forgotten to make sure we provide a documentation capture that also allows for the art,” she said. “I would hate to see us lose that.”
Because while it’s important for nurses to be able to titrate drips and make quick calculations in the ICU setting, for example, it’s equally vital to factor in the conversations that happen with patients and family members that can fill in key pieces.
“It’s not just about what’s happening on the outside with the science,” she said. “It’s the conversation you had with a patient while you were holding their hand, looking at the monitor and thinking to yourself, what would actually give this patient the encouragement that they need in order to fight the battle? Those things are really important for us to capture and understand.”
The big question, of course, is how. Step one, according to Gardenhire, involves seeking input and involvement from those who are currently practicing at the bedside. One grievance she has heard is the inability of dropdown menus to let users state what’s happening with the patient.
Another is the burden that comes from recording results. In an ideal setting, if a number comes off of something in my vicinity, I shouldn’t be expected to write it down,” she said. “I should be expected to look at the number and then document the things that are happening and what I'm doing about it.”
Nurses, she added, don’t need another data element. “We need suggestions based on analysis of background data. We can then take that suggestion and combine it with contextually aware information we’re getting from our five senses,” as well as the instincts nurses have developed after countless hours spent with patients.
The other party that should be involved? EHR providers, who she believes should work hand-in-hand with nursing organizations and other stakeholders to rethink documentation processes. “There’s an opportunity to have them come together with clinicians” and help drive important conversations,” Gardenhire notes. “There are things we can do now that we literally could not do in the past, and that creates a certain type of permissive rethinking.” And while it won’t necessarily be quick or easy to bring these experts together, “it’s an investment we need to make in order to support the future of clinical care.”
In conclusion, she urged leaders to continue to “be curious and think big,” particularly when it comes to developing processes that free up precious time for care providers. “Don’t let historical inertia block your thinking.”
One of Chase Franzen’s favorite quotes goes back to his days as a Taekwondo student: “Good is never good enough.”
At first glance it may seem defeatist; but in fact, the phrase refers to the constant pursuit of self-improvement – which he believes is quite apt for CISOs in the current healthcare landscape.
“It’s the idea of perpetually moving forward, getting better, and never being complacent,” said Franzen. At Sharp HealthCare, that means not just keeping the staff educated on the latest security threats, but doing so in innovative and “fun” ways.
During a recent Unhack the Podcast, he spoke with Drex DeFord about the “different approach” his team has adopted when it comes to boosting cyber-hygiene, the need to tailor education to fit users’ needs, and the key components of their AI governance strategy.
Chase Franzen
For cybersecurity and IT leaders, one of the most significant hurdles is getting the message out in a way that resonates. “We can teach anyone about safe cybersecurity practices,” he noted. “The difficult part is, how do we appeal to people? How do we meet them where they are and make it applicable to them in their daily lives?”
Doing so requires a solid understanding of human behavior, which is why Sharp brought on Peter Lopez-Perez, a licensed therapist. In his role as Cybersecurity Engagement Specialist, Lopez-Perez collaborates with other departments to help deliver awareness training, manage incident response plans, and stay informed about emerging threats.
“We’re taking a unique approach,” said Franzen. Instead of trying to “shove technology words and concepts down peoples’ throats, we’re meeting folks where they are through targeted training.”
How? One way is to go right to the source, which entails sending out queries to leaders, asking questions like: “what are you seeing about AI and cybersecurity that are confusing, interesting, or scary? What can cybersecurity do to help?” he noted. “Do you want us to come to your groups, to your huddles, to your staff meetings and tailor education around these topics?”
The response has been “phenomenal,” Franzen noted, because his team isn’t just asking critical questions: “We actually do it. We’re not coming with the same stuff we’ve regurgitated a million times.”
To help lessen the load on cybersecurity, Sharp has established an ambassador program which includes monthly educational sessions focused on specific areas. The most successful to date was a session on the importance of cyberhygiene at home, where attendees learned how to avoid common scams. The idea, according to Franzen, is that those behaviors would be applied at work as well as at home.
Other popular programs have centered around topics like spotting deep fakes, or demonstrating how scams are constructed. “We showed how a cyberattacker does open-source intelligence and crafts a phishing email, including how they spoof email addresses,” he said. “From a non-technical perspective, we pull back the curtain and show how it’s done.”
What makes the programs so valuable, however, are the takeaways. “It starts a conversation, and we end it by saying, ‘these are the salient points we want you to take to your team.”
An aspect that’s becoming a big concern, both for staff and leaders, is the use of GenAI in cybersecurity. Although tools like ChatGPT can offer “a world of benefit” by increasing visibility into nefarious activities, there are still serious concerns around the lack of guardrails.
“I go back and forth,” Franzen stated. “I’m super excited about the potential, but at the same time, I’m fearful of the ethical implications. I’m worried that healthcare in general doesn’t have effective oversight and discipline.”
Additionally, there are concerns around power consumption and finances, to name a few. “It’s really expensive. Are we recognizing the full cost of creation and ownership?”
And it’s not just the cost aspect, although that is significant. The technology itself is evolving rapidly. “Every day there are new capabilities, new LLMs, new agentic features. Trying to wrap your arms around it is challenging,” he said.
To that end, Sharp has created a multidisciplinary committee that examines AI solutions from a “true, complete cost perspective,” while also carefully examining the vendors. “Is this someone we want to do business with in these critical areas?” he said. “Are they doing AI correctly? Are they ethical?”
At an organization like Sharp, which is tracking more than 100 AI applications, these "philosophical conversations” have become critical, and will continue to grow in importance. For cybersecurity professionals, it means being willing to keep widening the scope and staying abreast of the ongoing changes in the industry.
And, of course, continuing to chase the “good.”
When William Morgan, MD, arrived at Copiah County Medical Center four years ago, it was supposed to be for a short-term assignment. What he saw, however, wasn’t a quick fix that needed to be made, but rather, something much bigger.
“It was an opportunity to make a difference,” he said. Specifically, to transform a critical access hospital into “the model for what rural hospitals in the state of Mississippi, and beyond, can be.”
Fast forward to today, his team has made incredible strides. All it took was an investment in cutting-edge technology, strong vendor partnerships, buy-in from the organization, and a solid focus on the unique needs of the community.
During a recent TownHall episode, Morgan, who serves as CEO, spoke with Sarah Richardson about his team’s strategy and shared best practices for other organizations.
William Morgan, MD
Not surprisingly, one of the keys to success they found is to start with the problem, not the solution. For Copiah County, it was the high number of critical care patients being transferred to outside facilities.
The solution involved partnering with Nateera and Artisight – in conjunction with University of Mississippi Medical Center for Telehealth – to launch a series of initiatives leveraging AI tools and telehealth technologies to prevent falls and identify patients who are deteriorating.
“We’re working with Naterra to trend vital signs so that we can intervene prior to patients having an adverse event,” Morgan said. “We’ve developed an algorithm in partnership with our critical care doctors to determine which patients can stay in our hospital and receive a TeleCritical care visit.
Before this tool was in place, ER physicians were “automatically transferring” patients with conditions like diabetic ketoacidosis so that they could receive appropriate care. Now, “a thoughtful evaluation is being done and assessments are being made” based on the data available, which not only enables Copiah County to provide a “higher level of care,” he noted, but has also yielded another critical benefit.
Nurses are gaining valuable learnings that otherwise wouldn’t have been possible. “They’re now comfortable treating critical care patients,” Morgan said. “They learned how to access graphs and shunts to do tele-dialysis,” as well as how to utilize the complex machines. “None of this existed prior to these projects. They really served as a platform for us to not only educate our nurses, but also build a sense of pride in them about what they're doing and what they're accomplishing.”
Although the technology clearly played a critical role in Copiah County’s success, it’s just one factor. What’s just as critical, he noted, is finding a “willing partner.” Companies like Nateera are “looking for partners to develop their products.” In turn, “we offer the setting in which products can be deployed, studied, and refined.”
When it comes to AI, the ability to validate data and constantly seek improvement is critical. “None of us know what we don’t know. AI is still new,” he said. “When you see that it tells you, you have to validate it.” Having a partner that will come onsite after a product has been deployed and continue to work through issues can make a significant difference.
His other piece of advice?
“Don’t be afraid of taking risks and trying out technology,” he noted. “You will have challenges with adoption in the beginning. You need to grit it out and continue to encourage your staff, your board, your physicians, and all providers that this is a worthwhile endeavor.”
For Copiah County, it has been. By leveraging technology to improve care and expand access to specialist care, they’ve shown that they’re prepared to invest in the organization – and consequently, provide better care. “As people recognize the resources that we’ve put into these projects, they’re no longer seeing us as a sleepy rural hospital,” Morgan said. “You don’t have to go to Jackson to get care. We’ll bring Jackson to you, because you’re gonna see the same specialist here that you see there. Our community understands that it’s an added layer, and they’ve embraced it.
No one wants to think about ransomware events and the absolute havoc they can wreak on an organization. But for healthcare leaders, ignorance is not an option. In fact, one expert advises doing the opposite.
“We want to talk about it as much as possible before we have an event,” said Brian Zegers, Information Security Officer at Lee Health. “We don’t want to try to figure it out in the midst of a storm.”
And the storms have come. Last year, two major ransomware incidents occurred within months of each other, resulting in widespread disruption and financial devastation. “The more we can figure out now, the better,” noted Lee.
While there’s no way to predict when and how a cyber event will happen, there are critical steps that can be taken to ensure teams and organizations are prepared to handle the fallout. During a recent Unhack the Podcast, Lee and Aaron Heath, CISO and Cybersecurity Counsel at the Medical University of South Carolina, shared some of the strategies they’ve employed, from infrastructure realignment to “internal poaching,” and discussed their biggest concerns.
Aaron Heath
One concern at MUSC was the number of freestanding EDs that don’t have sufficient network connectivity, which has led to some “pretty acute problems” for those areas. To remedy that, Heath’s team is looking at different options, including using satellites to maintain connectivity.
As it stands now, an outage can cause serious issues, “because there generally isn’t much infrastructure out there that can run out to them,” he said. “We’ve had cases where we have backup cell coverage to be able to maintain connectivity – they're still running on the same lines.”
It has become clear, he added, how interdependent connectivity is, particularly in rural areas, and how strongly facilities rely on technology. And so, “we’re looking at what type of benefits satellite services can provide for us,” while exploring other ways to increase resilience.
Of course, it isn’t just technical challenges that can get in the way; sometimes, the problems stem from the organizational structure. That was the case at MUSC, where leadership recently pulled infrastructure, network, and endpoint engineering teams into the security office in an effort to align strategically. “We ended up bumping into each other every time there was an issue on the network,” he said, explaining the decision to “get everyone on the same team” and establish “strict alignment.”
The more closely teams are able to work together, the more easily they can identify opportunities – and uncover mistakes. “I can’t tell you how often we’re finding things that a CISO should be concerned about,” Heath said. “It’s all interconnected. That’s where everything is going.”
Because of that connectivity, it’s more vital than ever that organizations have a firm plan in place to manage a cybersecurity event. At Lee Health, Zegers’ team has implemented a ‘recovery from ransomware’ initiative. Through tabletop exercises and sub-work streams, they’re “looking at all the different aspects of what we would be dealing with in a ransomware scenario,” whether its storage capacity or timing to get back online. “Infrastructure might say, ‘we have snapshots’ or ‘we have backups,’ but let’s dig into that,” he said. “Do we have that across the board? What does that mean? And so, it’s letting us have a lot of great in-depth conversations, and get teams outside of cyber to think about what would be involved in this process and try to brainstorm as much as possible pre-event.”
Brian Zegers
To date, his team has developed several sub-work streams focused on updating the response playbook to offline locations for documents to ensure staff have the resources they need. These conversations, he added, are extremely important, and should include teams outside of IT and cybersecurity. “This helps us in preparation of [ransomware] events, but also with our overall disaster recovery planning, because a lot of this stretches into other areas,” Zegers noted. “I always hope it’s not a cyber event that causes us to exercise these things, but it’s hard to get those conversations going and keep people involved. And so, this has really helped.”
Another critical step in laying a solid foundation? Building a strong cybersecurity team – something that has proven challenging across the industry. At Lee Health, where Florida residency is required for all staff, Zegers has found that the best candidates may already be in house.
And so, one of the “different avenues” his team has pursued is to identify candidates from other departments and try to recruit them. “In cybersecurity, you need a specific skillset and mentality and an appetite to learn,” he said. “They don’t need prescriptive steps as to what to do next.” Instead, the right candidates are able to pinpoint and figure out problems – and perhaps even more importantly, realize when a problem needs a whole new approach.
“It’s knowing when to call it and say, ‘let me not spend more cycles on something and go down a rabbit hole,” Zegers noted, adding that it’s no easy task. “You also need a good understanding of the infrastructure to be able to do that. Internal poaching has helped us identify really good candidates and bring them in.”
If that’s not an option, he also encouraged peers to cultivate relationships with local universities and other healthcare organizations, and leverage them to connect with candidates. “You have to keep those stokes in the fire” and continue to feed the pipeline, Zegers noted.
Heath concurred, adding that he’s excited for the future and has become “passionate about identifying people who have the right mindset,” and following the steps needed to develop a strong cybersecurity posture.
Because when you are able to change a process or see an improvement, “it is the greatest hands in the air feeling to be able to see that quantitative impact.”
© Copyright 2024 Health Lyrics All rights reserved
