This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Today, on this week in health it, how do we operate? If the system does go down, everybody is prepared for 24 hours or less. Once you start getting past that threshold, things get a lot more complicated.

Thanks for joining us on this week in Health IT Influence. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT a channel dedicated to keeping Health IT staff current. And engaged. Special thanks to our influence show sponsors Sirius Healthcare and Health lyrics for choosing to invest in our mission to develop the next generation of health IT leaders.

If you wanna be a part of our mission, you can become a show sponsor as well. The first step. Is to send an email to partner at this week in health it.com. I wanna take a quick minute to remind everyone of our social media presence. We have a lot of stuff going on. You can follow me personally, bill j Russell, on LinkedIn.

I engage almost every day in a conversation with the community around some health IT topic. You can also follow the show at this week in health IT on LinkedIn. You can follow us on Twitter, bill Russell, HIT. You can follow the show. This week in HIT on Twitter as well, each one of those channels has different content that's coming out through it.

We don't do the same thing across all of our channels. We don't blanket posts. We're actually pretty active in trying to really take a conversation. In a direction that's appropriate for those specific channels. We really want to engage with you guys through this. We are trying to build a more broad community, so invite your friends to follow us as well.

We want to make this a dynamic conversation between us so that we can move and advance healthcare forward. Today we are joined by Brian Ster, who is the VP of IT, CSO at Faith Regional Services. Good morning, Brian. Welcome to the show. Good morning. I'm excited to be on. I've watched a number of these and excited to participate.

Yeah, it's, it's, it's gonna be fun. I, I like having, uh, health systems like yours represented on the show because there are what some people coined as celebrity CIOs. You can go after the big IDs and whatnot, but I was on a. And one of the smaller health systems was there. And it dawned on me that all the same regulations, all the same cybersecurity needs, all the same compliance things, all the same clinical aspects were required from that person who had like a 10 person IT staff as was required by me with a 700 person IT staff.

And I was sitting there going, I have no idea how they get all this stuff done. And you're not quite a 10 person, so tell us. Tell us a little about Faith Regional to, to start off with. So yeah, so we're located in Northeast Nebraska, so Norfolk, Nebraska is where we're where we're at. We have one hospital licensed for about a.

Wow. Alright, so I mean, your role is interesting. Tell us a.

Talk about your organization and your roles specifically. I've been here for about nine years and we, a lot of things have changed and, and we've built it and done a lot of really great things here, I think, and, and built the team as obviously over that course of time, security's become changed quite a bit.

Not that it wasn't a focus nine years ago, but boy is it different today and. Through that process, given the size of organization we are, it's really been, you know, it would be difficult probably for us to, to have a full-time ciso. And so through, through conversations with our CEO and how we can work together, the thought was can I fulfill that role, be in that dual role And other, there are others that, that do that kind of thing, but it's probably not the majority.

And so. Come up with ways to do some educational things. And then there's, there are some, some other vendor arrangements that we work through that help, that help through that process. So I still have that responsibility of all the things that you would assume with the CIO, but, and then also have the, the security officer side of things as well.

Do you have a strong technical background? Is that your background? Yeah. I always kind of joke with my staff, I used to be really useful and I'm not as useful, but the way that I cut my teeth was being very hands-on technical and was certified in a bunch of technologies coming up. I. in my career and through working at resellers and that kind of thing.

And so then grew into a leadership role and, and so most of my, that technical expertise was on, uh, infrastructure type items. Wow. So it's, I mean, the, the smaller house systems, you're really an active part one of. Who it kept saying, stop trying to be the CTO, stop trying to be the ciso. We have those within our organization, but the reality is, you, you play a little bit of, of those roles in the decision making and the technology selection process and whatever in, in all aspects.

And really the smaller the health system, the more multifaceted you have to be able to step into those conversations. Yeah. It, it just, yeah, you wear multiple hats. You hear that all the time. We have a fantastic team that we've really built smart over the last nine years and tried to grow in the most appropriate way.

Very strong teammates and other leadership within it that that help help us get our our job done every day. But one thing I would say, bill, is that when we look at our organization compared to some of the very large organizations that we interact with, we can be really nimble because of those multiple hats that we wear.

And we can be. Sometimes more, more effective because of it. So in other words, it's not, the security guy throws the something over the wall to the firewall guy that has to get changed. That has to where there's all those siloed teams. We really have a cohesive team that works together and I think can problem solve faster because we don't have those different lanes, so to speak.

Yeah. Don't as many meetings if three lunch. Start talking about the redesigning, the, the network and those kind of things. You don't have to say, Hey, let's call meetings over the next three months to, uh, decide if this makes sense. That's interesting. Talk about the CISO role and how, how is risk and security handled at your organization?

You.

A health system wide group that helps sort of set the direction around security. Yeah, so we worked really hard and are proud of a lot of the things that we've been able to do. So while I serve in that role, we have a security committee that is across the organization, involves stakeholders from among others, hr, our physical security, our compliance team.

Our risk folks, IT folks, and sit on that committee and make a lot of decisions there and execute on a lot of the things that we're, that we're looking at. A lot of what leads into that are things like our, our annual risk assessment that we do, and then, and that team takes that and we prioritize the work that needs to get done and then, yeah, drew up through that committee for the most part.

Being a senior management, I participated in our board meetings, so at the board level they get updates quarterly, all of it, but specifically also certain metrics that we track on the security side of things. And then annually we do a presentation on the state of, specifically on, on cybersecurity. The nature of this cause, well, clearly it's caused concern for all of us.

I mean, you have scripts. You have Sky Lakes Medical, you have a St. Lawrence and others, but they went after hospitals of your size with with ransomware. That has to have caused some concern. There used to be this mindset of, we're small enough, they're not gonna come after us, but they are coming after hospitals of your size at this point.

As that changed the conversation somewhat, I think due to some of the things that have gone on. across the country. I think some of the things that have even happened locally here, we do some work for and have relationships with some area critical access hospitals as well. So it's become apparent the target that they are, and I, I just don't the, the conversation about convincing our, our senior executive team or our board on the threat.

So much easier, unfortunately than it was four or five years ago. It's very clear and we've actually seen many of the things that have happened and some of 'em firsthand. And so the threats always there. Right now, much like this isn't a new thought, much like everybody else, our our preparedness is preparing for when it's gonna happen.

So we've actually spent a better part of this year on a pretty intense lessons learned. How do we operate if the system does go down? And one thing I don't think people always do is everybody I think is prepared for a 24 hours or less. Once you start getting past that threshold, things get a lot more complicated.

So we've spent a lot of time across the organization, one of our project managers has led an endeavor where we're working on that process. How would we operate? How do we get bills out the door and then recovery. So if, if extended beyond 24 hours, how do we then recover from it properly, make sure that patient care is first and foremost, and then make sure that we can get bills out the door and that kind of thing, and make sure that we, we don't have an issue from a revenue perspective either.

Yeah, sky Lakes was down for close to. Script down for 30 plus days. I, I was saying a little while ago to somebody that our plans didn't, we didn't have plans to be down for 30 or 40 days. And I, I think that's one of the things that's sort of changing in our mindset of what does it look like to recover when, you know, core clinical systems are down for, uh, multiple weeks, and how do we start to shrink that timeline from ransomware event to recovery, make it a.

Instead of 40 some odd days. How does your team stay current on what's going on in that? Do you rely on vendor partners? I mean, how do you guys stay current on all the things that are going on and, and morphing? I mean, you have things that are changing on the network side, infrastructure side, cloud side, cybersecurity side.

I mean, there's so many things changing. How do you stay current on all those things? Yeah, we, we do our best. I don't know if anybody's always. There's always something more that you can do. But given the fact, like I kind of going back to the conversation about the dual role that I serve in and the fact that we're not gonna have a security team of 50 people.

We leverage, we think very smart contracts with other vendors, and I wouldn't necessarily always call it managed services, but advisory type services, making sure that we're informed that. , we work tightly with one vendor. That really allows me to even consider having this dual role where I have access to, to expertise that can help us there.

And they, they also do a number of other things for us from a vulnerability assessments and that kind of stuff. So I think that we, given our size and what we're able to do, we have to be able to piecemeal those things in. And that helps us stay ahead of things, hopefully to the extent that we can be prepared.

And then, like I said. We've taken a really good look inward on what are our processes here and how do we deal with downtimes and, and that doesn't really take any expertise other than a little bit of, you know, blood, sweat, and tears to get it done. So talk about the most impactful moves with regard to technology that you've made over the last, you know, 18 to 24 months.

And that obviously involved, uh, allowed for us to have that complete view of the patient record. We had some siloed systems before that. That's been tremendous. Along with that, we also went to a . Our new cloud-based ERP platform, and that's been evolving and we did that in phases. So we, we had financials and supply chain that right away.

And then late, we've layered on after that payroll and HR and, and now looking at even further down the road with talent acquisition, talent management and some other things. So that's probably been the most Now I know, I know those are sort of lock and tackle things and maybe not super interesting, but, um, no.

Which, which ERP did you go with? Infor cloud suite. Okay. That's interesting. So is, is this the first time you're going to a cloud-based ERP, or have you always been onsite or have you been, uh, hosted before? We had had aspects of it that were cloud, but we, this is the first time having the entire fully integrated product in the cloud.

What's the biggest learning from really having the, the suite in the cloud? Do you have the level of customization that you want or. Uptime and that kinda stuff. What, what's, what's the biggest learning of moving offsite? Uptime really hasn't been much of an issue. I think the biggest learnings, we do definitely have the level of customization almost to a fault.

So I think that our philosophy has been, I. To the extent that we can take that foundation build or that standard build, that's what we need to do. There's too many potential room for error when you start creating variations. Now, obviously you need to in certain circumstances, but making sure, being disciplined about only making those changes that we need to make, and if the foundation build can satisfy that, then that's what we need to take.

You have the same thing on the EHR side. Did you try to stay with a standard foundation build? Absolutely. Yeah. That's very much standardized. We we're participating through a connect program there and that that actually forces some of that, but I think in a good way and make sure that we are as standardized as we possibly can be.

I was just reading about the VA. And they're getting reviewed on their Cerner project. You're obviously an epic shop, but one of the things I, I sort of took exception to as I'm reading this and they said clinicians were less productive the week following the EHR implementation, and I just sort of laughed.

Obviously it was a jump up in terms of technology and capabilities, but what have you done to improve the experience all along that way? Yeah, that's a great question and I, I wish I had this off top of my head, but Epic measures that productivity and projects where, how long it should take you to get back to, uh, previous.

And our clinicians actually knocked it outta the park and our, I can't remember the time-frame threshold, but we were back to where we needed to be much ahead of the, the projections. So. In that regard. That was fantastic, everybody. The thing about that I love about the Midwest to be a little bit biased is that the, the work ethic here is second to none, and there is no, there's no failure.

So we, we spent some time doing some optimization. We spent some time, all those things that go with the go live, right? That didn't work perfectly. That sometimes some of 'em are more minor, but they might take a little bit, a little while to, to alleviate. And so then we jump right into Covid and everybody's world's been upside down ever since.

So I don't know. We have regular rounding that gets done with clinicians. And we have folks out in front of 'em. I'm trying to make sure that it's operating at the best of their abilities. So we really haven't done any sort of full scale optimization relative. I'm sure you'll get back to that or be asked to get back to that.

That's one of those things that just never ends, right? You're always optimizing the system. So Brian, I, I did a little research on you prior to our discussion and.

Your network upgrade, you guys did a pretty comprehensive network upgrade. Tell us a little bit about that. What'd you guys do and, and what was the, uh, goal of that project? Yeah, so it kind of started with our, on our wireless side. We needed to make a change there and looked at, and, you know, vendors. I know I'm trying to, that was before my time, but if you think about, it's probably 12 to 15 years ago.

The vendor landscape is a lot different today than it was then. And so, uh, really, you got rid of your threecom switches? Is that what you No. Yeah, I, I dunno if it goes back that far, but go, go ahead. Yeah, so we went through that wireless evaluation and selected a vendor and then it allowed us then to do over time, then converge that with our wired infrastructure.

That gave us a number of capabilities from a management perspective, but also really leading up to. Getting to a good network access control product, and ability to do microsegmentation. So it, it led us, it's, it's taken a long time to get there, but now we have the ability to profile devices, make sure those devices are only able to communication with what they need to.

The example I always give to oversimplify it for people is that my laptop has no need to talk to an IV pump there. There should be no purpose for that to happen. And so things like that and getting to the ability that we can. And it, it really comes down to, again, limiting the damage in the, in the event we did have an attack.

That was probably the biggest thing, other than just getting refreshed. Technology is getting to the point where we can do those types of things. There's a lot of power in the software defined networks, and I, I read that article, you went in the Aruba direction. I just interviewed C Software. Is so different from what we used to do.

I mean, we'd have global rules, then we'd have port level rules, then we'd have device level. I mean, it was a team of people, a significant amount of work to maintain those rules. But now that administration become, it's almost like a learning system as well. It's learning as it goes, what you're plugging into it.

What kind of traffic should go across it? It's pretty interesting. How, how many people do you have managing this and what, what is the administration that's really only a couple, uh, people that are managing and, and looking at it. We leverage and work together with vendors. I will say, since I, I never know whether we can say vendor names or not, but since that's out there, they've been a fantastic partner.

And when I say partner, I mean partner. There are those out there that. I think strive to have partnership with their customer. And so far Aruba absolutely walks that walk and has been a great partner with us. And again, we work together with some other local vendors to make sure that we can deliver on that promise.

Yeah. The the nice thing about this show is I, I talked to all my vendors, all the partners of the show before. Sponsor and I say, look, we might talk about your competitors in a positive light. We might talk, and I said, because people wanna know what you're using. Hey, so you're about the same size as somebody who's listening to this show.

And they might be saying, Hey, our network's gotten pretty wild. And instead of me getting emails, which I do from time to time, Hey, you talked to this person. What are they doing with this? They can just hear it from you, what kind of stuff you're using. Aruba happens to be one of our channel sponsors as well.

I'm not talking to you about it because of that. I'm talking to you about it. 'cause I remember how complex it got and even around the guest networks that we had to set up and being able to identify what those people were doing, identify the traffic. We also took an approach of, assume they're already in your network and now you have to find them.

And we needed more sophisticated tools every day and we kept bringing in third party tools. It always kept coming back to me of. Why can't my network vendor, why am I plugging in a sniffer to see what's going on here and a this, to do this and a this to do this, that should be built into the software.

They should know what's going on across that network. And that's one of the reasons I was, I, I was taken by your approach and also to go wireless first and then go down to the wired. I think a lot of people started the wired and then go out to the wireless. So it's interesting you went in that direction.

Was there a reason for that? Uh, just, just timeframe on. I wish I could give you some really great, intelligent answer. Just the timeframe on the age of the equipment and what needed to be replaced first. Yeah, but we did, we talked about it. We did sort of consider everything. And obviously I think I, I actually say HP E's done a great job with that acquisition with Aruba, that's gone well too.

Do you place a lifecycle on the equipment that you purchase or you purchase new workstation and you essentially say, this is a five-year device, or a new access point and say, this is a six year device, or that. Or are, are you not that proactive yet? With regard to asset management? I gotta tip my hat to some of our finance folks.

We are really required to do a pretty good job of projecting out multiple year plans for capital. And so, and then anything that comes in the door, what that lifecycle might be so that we can, uh, predict when we may see those expenses. So, especially when they're not an operational type expense, that so you can anticipate when we're gonna have years that we may spend more than others.

So we do a pretty good job of projecting out those lifecycles on, on almost everything. So what's the priorities over the next 24 months from a technology perspective? Well, I mean, I think right now it's a lot of the, a lot of the things that we're working on have to do with . Just continuing down that ERP road and, and adding on on some modules that we're anticipating from a talent management talent acquisition.

We're currently in the, in the process of working on some of those things, and then there's some others that, that come along later on to get to that fully integrated ERP system. There's always the security initiative, so looking at . Taking a hard look at some endpoint protection and looking at DLP and, and where that, um, sits within our organization and whether we're doing all the right things that we need to be doing.

How do you stay up with regulatory, I mean, the price transparency, 21st Century Cures, is that something that the, the vendors that you've partnered with, come up with solutions around, or are you, are you actively trying to pursue some of those things as well? Are, I mean, those certainly are things that we're always on.

Uh, a tremendous resource for those things, especially from somebody in a smaller organization. I'm able to get hooked into some committees. I sit on some public policies, committees and some other, um, committees that gives me insight into what's going on. Helps us anticipate, listen to a bunch of smart people, talk about their thoughts on, on those regulations.

And then that allows us to execute on, on things locally where we need to with our vendors. So, so that's one way that, that we, uh, tackle that and work together with our vendors. We work together with our other partners within the Community Connect network. That also helps as well. That's awesome. Has, has your staff come back to the office yet?

So this is a little bit unique. I don't know that I've really talked to anybody that brought 'em back quite as quickly as we did. So one thing about the Midwest was it took a little bit longer. We didn't see the surges the same way that everybody in the coast, our staff here, our, in our IT organization has been, uh, top rated employee engagement or department.

Yeah, every time we've done our survey since we've been here and they enjoy each other, they work really hard. They play hard together, and because of that, they wanted to come back to the office. We brought 'em back around June or July last year, back into the office. And that's pretty, I think, pretty unique.

I mean, there's a lot that are not back in, and we've been back in the office for over a year. Even in some cases we now, we had to do that smart. We had to segregate people certain ways. We had to follow protocols, but people just really wanted to be around their coworkers more so than sitting in their basement.

And it's just a tremendous culture I think that we have here, that our employees want to do their work that way. Yeah. Have you modified your facilities or anything at all, or just practicing good practice around there and vaccinations have really helped to mitigate any major risk of the work environment.

Yeah, I mean, early on we, we had some of the luxuries of, we have within Norfolk, we have two campuses right now. There were two hospitals that merged a number of years ago, so. We have space that was available, so we were able to just segregate teams early on without knowing how, with exposure risk and those kinds of things.

We made sure to do that so that we didn't have, we didn't have a point of failure where we'd have to set exposure home and all of a sudden we lost the. The two or three people that work on a certain technology. So we tried to separate those and then so the social distancing within the location they were at and mask requirements.

Obviously vaccines has have helped a ton as well. So it's been something, like I said, that's I think a little bit different than other organizations, but it really has turned out well and we've had no significant issues. Certainly we've had some folks that have been . Before the vaccination had actually gotten covid, but we never had any real mass issues or ex any exposure issues.

That's fantastic. So Brian, uh, this will air actually after himss, but we're recording before himss. I'm, I'm curious, are you, are you gonna be attending himss? So I'm actually not attending, I am actually on a panel through Aruba. I'll be attending that virtually. We do have some people that are going, just didn't happen to work for me to attend this year.

It'll be an interesting conference. I, I think I saw an email yesterday, 19,000 people planning to attend in person. First one I attended, almost had 40,000 people at it, so that's roughly half, but still 19,000 is 19,000 people. That's a sizeable conference, so it'll be interesting seeing, see what, what comes out of, of that conference.

Brian, thanks. Thanks again for your time. It was great meeting you. Great having this conversation. Yeah, it's always fun to do these kinds of things and hopefully, uh, if there's something that somebody can learn or wants to reach out, certainly I'm happy to deputy to speak with colleagues and network.

Sounds good. Take care. What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions. Please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show. It's, it's conference level value every week.

They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts. Apple, Google, overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today, send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders.

Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.