In a small health system, it is not uncommon for leaders to hold several positions. Brian Sterud, VP of IT, CIO, and CISO of Faith Regional Health Services, is an example of just that. Sterud explored innovation, cybersecurity, and the dynamic of his multiple positions on Influencers with host Bill Russell.
Within smaller health systems, leaders must wear multiple hats.
Security has become a greater role in the IT department since Sterud joined nine years ago. However, because of the size of Faith Regional, there has not been the demand or resources for a full-time CISO. Therefore, Sterud has dual CISO and CIO roles.
“We have a fantastic team that we’ve really built smart over the last nine years and try to grow in the most appropriate way. Very strong teammates and other leadership within it help us get our job done every day,” he said.
Small systems are able to be more nimble than larger organizations, Sterud explained. Because many team members hold various roles, processes are more effective because fewer people are involved.
“In other words, it’s not the security guy who throws something over the wall to the firewall guy…We really have a cohesive team that works together and, I think, can problem solve faster because we don’t have those different lanes,” he said.
At Faith Regional, there is a security committee comprised of stakeholders, HR, compliance team members, IT, and more. The committee helps make and execute security decisions across the organization.
Healthcare leaders have heightened concern that ransomware attacks will leave their health systems offline for 30 to 45 days, Russell explained. These fears have only increased as larger health systems like Scripps Health have recently been targeted, leaving costly ramifications.
Previously, executives in smaller systems believed they were too small to be targeted. However, more and more have fallen victim to cyber attacks. According to Sterud, in the last four to five years, it is easier to convince the senior executive team and board that there are threats to their system. With that understanding, teams have focused on preparing for the possibility of their system going down.
“Everybody, I think, is prepared for 24 hours or less. Once you start getting past that threshold, things get a lot more complicated,” he said.
Currently, Faith Regional is working on the process of determining how to operate and recover beyond 24 hours. This includes being able to continue patient care and ensure safety from a revenue perspective.
Network, infrastructure, cloud, and cybersecurity continually change. Therefore, it is important for organizations to stay as current as possible, Sterud explained.
“We do our best. There’s always something more that you can do,” he said.
Being a smaller team, his system leverages small contracts with vendors and advisory-type services to stay informed. According to Sterud, Faith Regional partners specifically with one vendor that allows them to access expertise in several areas.
“I think that given our size and what we’re able to do, we have to be able to piecemeal those things in. And that helps us stay ahead of things, hopefully to the extent that we can be prepared,” he said.
Beyond this, as the system considers inwardly how to process and deal with downtimes, there is less of a need for expertise and more of a need for simply putting the work into it.
“[It] doesn’t really take any expertise other than a little bit of blood, sweat, and tears to get it done,” he explained.
One of the most impactful innovations over the last 18 to 24 months for Faith Regional has been its move to Epic. Going live in October 2019, this has been a time-consuming move allowing for a complete view of patient records. After previously having siloed systems, this is a significant move, according to Sterud.
Currently, a new cloud-based ERP platform is evolving. This is the first time the system has a fully integrated product in the cloud. The Infor CloudSuite started implementation in financials and the supply chain, later moving into payroll and HR. According to Sterud, there are potential plans to add it further into talent and acquisition management.
One challenge for his team has been learning customization. According to Sterud, the level of customization can become problematic because it leaves a significant potential for error in variations.
“I think that our philosophy has been to the extent that we can take that foundation build or that standard. That’s what we need to do,” he said.
Sterud advised teams to stay disciplined when making changes, since variations are necessary in specific circumstances.
After most EHR implementations, there is a decrease in productivity, as teams calibrate for the change in workflows and technology.
After about al week, Faith Regional dramatically increased in productivity, Sterud said. Their clinicians presented a strong work ethic that overcame the obstacles of an EHR implementation.
“Our clinicians actually knocked it out of the park. I can’t remember the time frame threshold but we were back to where we needed to be much ahead of the projections,” he said.
Recently, Faith Regional had a comprehensive network upgrade with Aruba Networks. According to Sterud, it is a fantastic partner in this process.
“There are those out there that, I think, strive to have partnerships with their customer. And so far, Aruba absolutely walks that walk and has been a great partner with us,” he said.
As for priorities, Faith Regional is progressing in its ERP and adding modules from talent management and acquisition. As well as this, there are security initiatives that are assessing endpoint protections and DLP.