Authority, Responsibility, and Risk

When I became CIO of CareGroup/BIDMC in 1998, I promised to listen to all my staff and collaboratively embrace technologies that would benefit patients while also enabling employee career growth.   The IT team worked together to implement new infrastructure and new applications.   Success led to an upward spiral of success.    Other groups such as Media Services, Knowledge Services, and Health Information Management joined  IS.  We continued to grow in scope and capability.  

My sense at the time was that additional authority, budget and span of control were great - more was better.

However, in my nearly 15 years as CIO, I've learned that while more authority may bring more opportunities to succeed, it also brings increased responsibility and with it, additional risk.

In a world of increasing regulatory pressures and compliance requirements, the likelihood of something bad happening every day in a large organization is high.    The larger your role, the larger your risk.

Today in my BIDMC role I oversee

83 locations
18000 user accounts
9000 desktops/laptops/tablets
3000 printers
600 iPads
1600 iPhones
450 servers  (200 physical, 250 virtual)
1.5 petabytes of storage

serving over a million patients.

If one employee copies data to a USB drive and loses it, a potential breach needs to be reported. If one workstation is infected with malware that could have transmitted clinical data to a third party, a potential breach needs to be reported.  If one business associate loses an unencrypted laptop, a breach needs to be reported. 30,750 such breaches have been reported since HITECH took effect   All breaches are the CIO's responsibility.

If one IT project is over time or over budget, it's the CIO's responsibility.

If one IT employee goes rogue, it's the CIO's responsibility.

If one server, network, or storage array fails, it's the CIO's responsibility

If one application causes patient harm, it's the CIO's responsibility

Life as a CIO can have its challenges!

At the same time that responsibilities are expanding, the number of auditors, regulators, lawyers, compliance specialists, and complex regulations is growing at a much faster rate than IT resources.

There are three solutions

1.  Spend increasing amounts of time on risk identification and mitigation
2.  Reduce your responsibility/accountability and thus your risk footprint
3.  Find a nice cabin in the woods and homestead as far away from regulatory burdens as possible

I'm doing #1 - about 20% of my day is spent on matters of risk, compliance, and regulation.   I'm doing #2 by transitioning my CIO role at Harvard Medical School to a successor.  #3 sounds appealing but I'm not there yet!

As healthcare CIOs face new regulations for e-prescribing of controlled substances, FDA device safety requirements, 5010 implementation,  ICD-10, new privacy rules, and Meaningful Use stages 1-2-3, the magnitude of the challenges ahead may at times seem overwhelming. I sometimes long for the days when all I had to do was write innovative software and create a nurturing environment for my staff!

There are 3 negative consequences that can result from overzealous regulation:

1.  The joy of success can turn into a fear of compliance failure
2.  Compliance can create such overhead that we lose our competitiveness
3.  We'll become less entrepreneurial because the consequences of non-compliance, such as loss of reputation, penalties, and burden of responding to agencies enforcing regulations, become a deterrent to innovation.

For now, I have accepted the risks that come with all my responsibilities, but at some point, the balance may become more challenging to maintain. As we move forward, I hope that policymakers in Washington and at the state level will be mindful of the unintended consequences of regulatory complexity.