In-Depth Interview with Protiviti Managing Director Matthew Jackson. He shares the implications of digital transformation in the healthcare industry.
November 1, 2019
Hello. This is Kevin Donahue with Protiviti, welcoming you to a new edition of Powerful Insights and our series on cybersecurity awareness. Protiviti has a series of webinars on cybersecurity awareness that, along with these accompanying podcasts, are intended to highlight ways organisations can be proactive in addressing these critical security challenges. We explore how leaders can dynamically build cyber resilience while maximising value.
In the series, I’m talking to our cybersecurity leaders who are speaking on our webinars and are in the market working with organisations addressing these challenges. These webinars or podcasts and other content are available at protiviti.com/security.
With that, I’m pleased to introduce my guest today, Matthew Jackson. Matt is a managing director with our Security and Privacy practise out of Dallas. Matt, it’s great to speak with you today.
It’s really why I got involved in healthcare to begin with. Obviously, we’re all patients in some form or fashion, and the changes that ripple through this industry really have a very deep and meaningful impact on all of us, whether that’s personally, our friends, our families – but you get my point there. In general, though, if you look at where the world is today compared where it was 10, 20, 30 years ago, it’s really pretty incredible, and we’ve gone from 8-tracks to streaming audio services, but these are really exciting times for healthcare right now.
During my career, I definitely haven’t seen such widespread significant change occurring as we’ve seen over recent years, and really, as we fully anticipate, it will continue into the perceivable future and beyond. Unlike the extinction of that 8-track, the changes we’re seeing in healthcare today and the advances that are being made are literally improving our health and ultimately working to extend our life expectancy when, in fact, in 1913, the average life expectancy was 34 years, which was really shocking to me, and today, it’s well over 72 years.
To your question, how healthcare braces and utilises technology remains a huge component of those advancements, again, it’s just really exciting to be part of it.
Yes. I’d probably sum up a key one as that belief that it’s someone else’s problem, or “Oh, it’s just a technology thing” or “Somebody else has it covered.” It’s the old “That’s not my job” mentality, and that’s a real problem in healthcare.
Yes, Kevin. If I could, let me finish a thought on that other question, and I’ll tie that right into this one, because they’re really related. That thought of “It’s not my job – it’s just an IT thing,” is really one of those challenges that you can’t disconnect security and compliance, for example. You can’t be innovative on an island. You can’t expect IT to understand the nuances of clinical operations and anticipate the impact that even minor changes are going to have on patient care, and really, the point is, there are still a lot of people that believe you can operate in silos, but that’s just not the case in healthcare.
To address that, leading organisations really place an emphasis on cross-functional collaboration – that’s really important. Whether that’s looking at strategic technology initiatives, implementing an overarching programme to utilise something like robotic process automation or even starting that journey toward true enterprise risk management, they realise you can’t separate IT, legal, compliance, security and other risk management functions. You have to work together to ensure all those bases are covered. Ultimately, I know it may sound a little silly, but the technology is not just an IT thing.
To the question on the big challenge, then, in addition to some of the perspectives that I’ll share from our wide range of experiences, each year, Protiviti conducts a joint survey in conjunction with North Carolina State University’s ERM Initiative. It’s a really insightful view into executive perspective on top risks facing a variety of industries, but specific to healthcare, we see a pretty consistent theme that uncertainty around regulatory changes and scrutiny continues to be top of mind and a real challenge that organisations struggle with. From a technology and security perspective, for example, although HIPAA has been around seemingly forever, as the bad guys continue doing bad things and the threat landscape that healthcare organisations are faced with changes on a daily basis, regulatory enforcement and scrutiny continues to increase and definitely isn’t going away. Those are big challenges.
Continuing on that, the Office for Civil Rights, or the OCR, continues ramping their audit investigation activity and continues to harp on a number of areas where they believe healthcare as an industry is really falling down, such as your foundational risk analysis and risk management practises that all of us have to comply with that are involved in healthcare. All healthcare organisations really should be addressing what they’re doing on an ongoing basis when it comes to things like HIPAA compliance and cybersecurity, because it’s really a never-ending battle. That mentality earlier about it just being an IT thing, it’s really not. It really involves compliance, security, legal – the whole gamut of risk management functions at their organisations.
Then, to compound that even further, the demand for top talent in healthcare right now from a technology, security, and innovation perspective really does exceed the supply at the moment, and there is fierce competition to attract and retain talent to try to keep up with the bad guys while also keeping the edge on the competition. At times, I’m sure healthcare organisations feel like they have to do more – they have to do it better with less while keeping everybody happy and also staying out of the headlines and possibly even in jail. There’s a big challenge in the healthcare space right now, summed up in that capacity.
Thanks, Matt. I want to take a moment to remind our audience that our information on cybersecurity – a vast wealth of content, from the webinars I mentioned before to our podcasts and to other papers – is available at protiviti.com/security. You also can find a wealth of content from Protiviti at our special website, Protiviti.com/healthcare, which features a healthcare rundown of the top risks survey that Matt just mentioned, as well as other information looking at issues affecting healthcare organisations.
Matt, following up on your last response, out of all those issues you covered, what would you say is the one question you’re asked about most often by companies interested in this field – healthcare IT, digital transformation and such – and how do you answer it?
It’s a nice tie-in to these continuing questions, and more and more, as organisations struggle with these problems, we’re asking, “What are others doing?” Obviously, the response is very significantly based on the area of focus and nature of the organisation, but there really seems to be a sense of comfort in knowing that you aren’t alone, right? While every organisation is truly different and the risk appetite varies significantly, we strongly encourage organisations to leverage lessons learned through their partners, consultants, peers, professional associations, direct interactions with regulators, and take every chance you get. In fact, we’re seeing, for example, more healthcare organisations forming strong relationships with their local FBI offices. They’ll stay informed on cybersecurity threats, as another example there.
But as I mentioned at the start, where I think we truly differentiate ourselves is the commitment to our clients that we’re so proud of. We don’t just want to point out problems and say, “Good luck.” Our goal is to partner with healthcare organisations to help identify solutions to their problems that are really tailored to their specific needs, their culture and their environment. That’s something that we strongly encourage organisations to do: Don’t try to go it alone. In this particular case, the organisations, for example, engage us to assist across a wide range of solution areas. Some of those include to address this problem area, aging regulatory compliance, like performing a gap evaluation against the HIPAA requirements to determine where practises failed to meet the intent of the regs.
That’s based on our insights and working directly with the regulators and a wide range of organisations, and then helping to improve their compliance maturity or performing detailed penetration testing, vulnerability assessments, social engineering or other technical security reviews, leveraging our state-of-the-art dedicated cybersecurity labs. Essentially, thinking like the bad guys to help keep them out or helping compare practises against established frameworks like NIST or ISO or HITRUST, and to help develop strategies for strengthening overarching cybersecurity programmes. Or, I had mentioned ERPs and EHRs earlier, serving in that project risk management capacity during the conversion of legacy resources to more traditional ERP systems, which we’re seeing a lot of now.
Then also, as the industry continues to evolve, helping you ensure that digital transformation initiatives embrace that cross-functional collaboration that we talked about. We’re also designing and implementing solutions across areas such as RPA, advanced analytics, artificial intelligence and machine learning, just to name a few, but while making sure that security considerations, for example, are appropriate and incorporated into those initiatives.
Wow, that’s a great rundown and clearly a lot of issues, a lot of challenges, these organisations are facing today. It has been great speaking with you. I have one final question I wanted to cover. First, please visit protiviti.com/security to view and listen to our webinars on a broad range of cybersecurity issues. As I mentioned before, you can also visit Protiviti.com/healthcare for a wealth of content related to healthcare organisations.
Matt, I’d like to know, in your field right now, what is out there that you’re most curious about, and tied to that, you’ve talked about a lot of changes happening, so along with like your curiosity, I guess specifically, what are you curious about in terms of what will be changing over the next five to 10 years, and what should companies be aware of with regard to those changes that you see?
I wish I had a crystal ball, and I had touched on a few of these things briefly, but I’m really curious to see just how quickly and extensively healthcare truly embraces things like artificial intelligence and machine learning and advanced analytics, and if we as an industry can really be successful in managing things like security and compliance risks without inhibiting innovation and standing in the way of true transformative care, I think that’s going to be a really critical part of our future. I sincerely believe that we can, but that journey is not going to be easy. In five to 10 years, I think we’re going to look really, really different.
I agree. I can’t imagine that healthcare organisations and other organisations, for that matter, are not going to look very different. Matt, it has been great speaking with you. Thanks, again, for joining me.
I want to remind our audience to visit our protiviti.com/security site and other sections of our website for more information and thought leadership. We also invite you to subscribe to our Powerful Insights podcast series wherever you find your podcast content.