David Higginson has quite a few things to say about "the changing role of the CIO" — he has lived it firsthand over the past several years.
Mr. Higginson joined the 465-bed Phoenix Children's Hospital in 2011 as CIO; today he serves as the organization's executive vice president and chief administrative officer. He is responsible for human resources, IT, process optimization, marketing and materials management.
Mr. Higginson is not only recognized as a leader in healthcare technology, but as an executive with a granular understanding of the many processes, people and workflows that fuel Phoenix Children’s, a nationally recognized pediatric hospital. He has thoughts on how other CIOs may move from infrastructure and implementation mavens to performance improvement and project management gurus in health systems.
We also asked him to identify the emerging technology CIOs are most at risk of overinvesting in today, whether he thinks artificial intelligence will revolutionize anything about healthcare by 2020, and what poses the greatest threat to a hospital's cybersecurity. Read on to see what he had to say.
Editor's note: Responses were lightly edited for clarity and brevity.
Question: There are obviously a lot of roles in C-suite pertaining to tech. What, if anything, do you think the next role will be?
David Higginson: I don't think it is an additional role; I think it is a transformation of the CIO role. The healthcare CIO started as the plumber, the director of technology. They put in the computers, put in the network — that was in the 1980s and 1990s. Then they transformed in the 2000s to become project managers of these big multimillion dollar EMR systems that had a huge impact on the organization. The CIOs who were really good project managers became the new face of IT and the infrastructure role became a director or sometimes the CTO. Now that we all have EMRs in place and the implementation cycle is finished, I think the next role for the CIO is really figuring out how to extract value from those systems and drive organizational change.
Now my title is chief administrative officer, but really what has happened is I've been given roles outside of IT to make use of the knowledge gained from years of implementing systems. I generally understand how each area of the hospital works from a process level, so I am changing flow in the emergency room, I am looking at bed flow and patient flow inside the hospital, I am running human resources, and I am overseeing the supply chain. I don't think that is fundamentally an extra role, I think that is potentially where the CIO can start to add more value — around process optimization.
When I am around my other C-suite colleagues, I am often the person who knows how a specific department works because two years ago I was implementing a system there. This third evolution of the CIO role will be for those people who really enjoy process and operations, and when they were implementing those systems, they paid attention. Being the process optimizer — I think that is really where the CIO role will go.
Q: What emerging technology do you think CIOs are overinvesting their time or resources in today?
DH: I can give the obvious answer, which is machine learning and artificial intelligence. I think there's a lot of misunderstanding about what it is, first of all. I am definitely on board with the concept of AI… we spent all this time building infrastructure and putting in EMR systems to gather data, so now let's finally use the information we're gathering. But I don't believe that we really need prediction nor artificial intelligence to get that value out.
I think we are really just getting our arms around what data we actually have and gaining insights from it. At our hospital, we started putting together different data sets in real time and making real-time quality and safety interactions or interventions with our patients. Things like [identifying a patient at risk of] acute kidney infection — it is not predictive, it is not artificial intelligence. It is simply taking keys pieces of information that are collected in real-time in the EMR, putting them together in a meaningful way, and then providing that to clinicians who say, "I will immediately check on this."
For acute kidney care, as an example, we have seen a 30 percent drop in Stage I and Stage II kidney failure. I think this kind of work is important but is often overhyped in terms of the predictive analytics, big data, artificial intelligence aspect. I don't think we're even there yet. We haven't even scratched the surface of the data we do have; we are just learning to make use of it. To already move to this next paradigm feels a little bit like chasing the next shinny object rather than extracting significant value from what we already have.
Q: What aspect of healthcare, whether it is financial, clinical or operational, is AI most likely to revolutionize in the next two years?
DH: In the next two years? I don't think any of those areas. I think in the next two years we will have people labeling things as artificial intelligence, but I don't think any of those areas will truly see AI.
If AI means the computer making decisions and figuring things out for itself, I think we are at least 10 years away from that today. Narrow AI, much like an Alexa scenario where things work in a very, very narrowly focused area — maybe around diabetes or a disease everyone is trying to track — may emerge in the short-term, but I think we are a long way off from general AI where we can ask a question and get an intelligent answer. We don't even classify data accurately today. If you look at a drug library in one hospital compared to another, many of the things don't even tie together. So it is going to be difficult to expect a singular AI to understand what it is looking at in many different healthcare organizations.
Q: What is the No. 1 threat to hospital cybersecurity?
DH: I think that, most likely, medical devices are the biggest threat because they are fundamentally unmonitored today.
A great example would be a pump that's used to give an IV drug to a patient. Some of those pumps have a wireless connection, some don't — at our hospital they don't, but they do have a USB port. And the drug library file, when you connect to that device, is often accessible. We do penetration testing in our organization, like many do. This year, we broadened it to a handful of devices used throughout the hospital and actually paid a company to come in and try to penetrate those devices. Learning you have a whole new set of devices to track and monitor is daunting.
You can easily imagine a scenario where someone might be motivated to access and alter a drug library on a patient pump. What if they connect to that pump, alter the drug library and change the dosing without detection? If you play that scenario forward with wireless pumps, you could imagine somebody sitting in the lobby connecting to those devices, changing the dosage in real-time and then holding you ransom. If you have to shut off all those pumps, there is no way you can administer the drugs to the in-house patients in a timely manner. No one would have enough people to manually administer all medications at a moment's notice.
Somebody would have to be cruel enough to do that in a hospital environment. You hope it would never happen, but there is a lot of consolidation in the industry right now. I hope we would never see something like corporate espionage coming into effect in this area. The real root of the problem is there is very little security on medical devices. In many hospitals, that responsibility has been a grey zone between biomedical engineering and IT, and who is really checking for security? We've experienced a rush in the last 10 years to buy devices with some kind of IoT connection — we may come to regret that haste if bad actors begin to exploit these devices.
These are the things I worry about. Maybe these scenarios won't happen, but I think they are very real and surprisingly easy to exploit. For ours and for many other hospitals, the thought of replacing all our pumps — which is $4 million to $5 million in equipment expense — just to address a simple security hole is very frustrating. You are diverting that capital away from far more impactful uses. I hope it never happens to anyone.
Q: What is the most valuable investment you've made in your own professional development in the past year?
DH: In the last two years, I have broadened the areas of the hospital I have been in charge of to include working in marketing, human resources and purchasing. I had a good general sense of how these departments functioned, but spending time, digging in and trying to understand and improve the way they operate has taught me things I know I will value for many years to come.
I am actually an accountant by background, but even with a non-technical education I have not fully prepared myself in the last 20 years to be ready to fully take on these things, like running a human resource department or a marketing department. I've had to go through a lot of personal growth — a large amount of it on the job, but also a lot of reading and learning at home. Understanding the seven Ps of marketing, for example, and all those things people learn in college about marketing and communication. Going back to that has been challenging, but also really rewarding. It certainly keeps me stimulated and excited about the future.