This month's article uses the metaphor from the Fifth Discipline
, a book written by Professor Peter Senge circa 1990, to describe the system approach required if organizations what to change their compliance DNA. Senge's book contemplates what's required for a "learning organization." This article contemplates what 21st century compliance DNA looks like and why it matters that "systems thinking" underpins all compliance initiatives. First, we address what Senge calls the "learning disabilities."
1. I am My Position
In the 24/7/365 online world that all knowledge workers now inhabit it is hard to predict who within an organization will be the compliance (specifically in the case "cybersecurity") change agent. It's important that knowledge workers do not get caught up in the organization pecking order because it generally only serves to constrain where innovative ideas may come from. This is especially true with respect to the kind of comprehensive systemic approach to cybersecurity required to reduce risks to levels that are reasonable and appropriate pursuant to the regulatory regime targeted.
One thing is certain, the functional group where the cybersecurity change agent ("CA") may emerge is an unknown unknown. The CA may not emerge from the "usual suspects" (e.g. information technology). Why is that? Because a cybersecurity vision and the resources to get it implemented requires much more than technical acumen. It also requires communication skills necessary to transform an organization's cybersecurity initiative into something that it does as part of the value it delivers to customers/patients, and not some "bolt on" necessary evil activity.
2. The Enemy is Out There
Compliance in the 21st century is not about reacting to Big Brother looking over your shoulder but rather delivering value to customers. There are no regulatory agencies "out there" that you should be at war with. You are at war with the increasing sophisticated "bad guys" that want access to your customer's sensitive data to monetize it, or to perform other nefarious activities, that customers are obviously interested in avoiding. For example, the public policy that underpins our respective customers interest in privacy will only increase over time.
The more we are surveilled, watched, tracked, etc. the more our desire for privacy will increase. A desire for privacy is a visceral reaction to some semblance of quietude and repose that all human beings need when we are bombarded with thousands of messages each day demanding our attention. The organizations that can seamlessly provide us with privacy as part of their value proposition are likely to attract our loyalty-all other things being equal.
3. Illusion of Taking Charge
Unfortunately, although we all understand that a successful HIPAA Compliance Initiative ("HCI") cannot proceed without the executive management team's ("EMT") participation, the latter cannot take the lead role in running the initiative. The reason for this may not be obvious on its face. Compliance officers quickly realize the dilemma of having been thrust into "the belly of the whale." An HCI is much more complex and time consuming than almost everyone expects, even when you expect it to be a full time job. This is especially true when your organization is trying to launch its HCI. The EMT, if they are busy doing what they should be doing, they generally do not have the bandwidth to take on this job; no matter how good their intentions. This is a job for professional compliance officers.
That said, there are always exceptions. Where we tend to find these exceptions the most are small boutique business associates where HIPAA compliance is the difference between winning a piece of business or not even being included in the game. Here the EMT clearly understands what HIPAA compliance means to their value proposition and embrace compliance as they would any other revenue generation opportunity.
4. Fixation on Events
We are too focused on the short term, which prevents us from seeing long-term patterns of change that are the cause of the immediate events. This is especially true when an organization experiences a breach. The focus tends to be on "responding to the event" instead of focusing on root causes and systemic failures. In addition, this event focus often precludes any real change in the organization's compliance DNA, reverting back to business as usual as soon as the event has been "handled."
5. Delusion of Learning from Experience
People seldom directly experience consequences of their decisions. For example, breaches generally don't happen often enough for an organization to develop deep institutional knowledge from the lessons learned. Further, often the lessons learned are not the right ones. Blame is generally assigned to individuals instead of the organization's HCI writ large. The bottom line is that systemic risks require systemic solutions. We are not convinced that "systems thinking" has permeated the business culture to the extent required to manage systemic risks. Remember, "systems thinking" is not the same thing as "throwing technology at a problem." A system is much broader in scope than the technology that underpins it. As non-trivial as that technology may be, it is usually the "people" part of the system that poses the most difficulty. Problems that encompass systemic risk are by definition wicked problems, because they inherently contain more organizational complexity than technical complexity.
The anecdotal evidence is that the healthcare industry, writ large, appears to have learned little from the historic breaches that have already occurred and from reputation damage from being listed on HHS' Wall of Shame
. Many reasons have been posited for healthcare's learning disability. The one that we have settled on is that for historical reasons (in no small part due to academic training), the industry views itself more as a group of "clinicians" rather than as "business people." In part this dichotomy has persisted because healthcare, as practiced in the U.S., is a business like none other.
- Pricing transparency does not exist.
- There is no easy way to compare quality between providers.
- Very little accountability to patients (i.e. primarily because the latter are generally not the "payers") for quality outcomes (fee-for-service is still king).
We could go on but you get the picture. For good reason, almost all senior healthcare executives are doctors. Therefore, there is very little mixing of business DNA from other industries. The healthcare industry is a beast unto itself.
6. Myth of the Management Team
We tend not to work together but rather fight over turfs and avoid doing anything that risks looking bad. We are not competent to discuss whether there is more turf wars in healthcare than in other industries. However, we can say that the management team's that we have interacted with understand very little with respect to how privacy and security should be incorporated into the organization DNA. Most tend to view compliance as this "bolt on" necessary evil that simply needs to be managed. Few management teams understand that in the 21st century cybersecurity (i.e. both privacy and security combined) must be an inherent part of the organization's value proposition done on behalf of patients. Ah, but therein lies the problem, ask any healthcare management team who their customers are and they may say "patients" out of political correctness, but the reality on the ground is far different. Their "customers" are generally insurance companies or large employers. Why? Because the latter pay the $$ that keep the wheels of healthcare turning.
7. Parable of the Boiling Frog
We tend not to notice or are unwilling to notice threats that rise gradually which results in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act
was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse
. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable happens. This fails to move the needle for the practice next door. In that practice another frog is starting to boil.
According to the book
, it is no longer sufficient for an organization to rely upon just one person to learn for the organization (if it ever was). A successful business is one that can effectively develop the capacity for members to learn at all levels of the organization. A learning organization requires its members to be open to new ideas, be able to communicate effectively with each other, understand the organization, form a vision shared by all members and work together to achieve that vision.
Although, the book's conclusions sound like yet more platitudes, given that we all become somewhat jaded by the "vision thing;" it certainly rings true with what's required to change an organization's DNA pursuant to privacy & security. If not, it is likely to continue "raining breaches" for the foreseeable future.