Patty Lavely, SVP & CIO, Gwinnett Health System, Chapter 2

When Patty Lavely stepped into the CIO role at Gwinnett two years ago, one of her top priorities was to build a strong relationship with the CNO. It was something she had admittedly struggled with in the past, but one of the many lessons she learned during her time in consulting was that relationship management is an essential skill for today’s CIOs. In this interview, she shares more takeaways from her time in consulting, including how to build trust, and how to avoid the common trop of hiding behind bureaucracy. Lavely also discusses leading a major EHR selection process, how the organization revamped the security process by reassigning responsibilities, and the “daily challenge” CIOs face with prioritization.

Chapter 1

Chapter 2



* Revamping security

* Cybersecurity talent — “We found it very difficult to recruit those skills.”

* Prioritizing by communicating

* Information Management Planning Council

* Executive support — “Our leadership team is willing to ask questions.”

* Starting a consulting company



LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED

Bold Statements

Our pay scale for that type of role isn’t usually in line with the IBMs of the world and the companies that focus just on security and technology, so I think that’ll continue to be a challenge for us.

I try to spread my time equally and really understand what their priorities are, because their priorities and the organizational strategic priorities should drive mine.

Our leadership team is willing to participate and to have the discussions and to ask questions if they don’t know, and they’re willing to allow me to ask questions of them and to learn more about their organization so that I can better prioritize on their behalf.

That was when I thought, this is when this group is really working — when I’m not the one driving the agenda. So I left that meeting feeling very hopeful that our governance is really working. It’s not me rubberstamping everything.

After talking to a lot of people and consulting with some of my friends who were incredibly helpful, I decided to develop a company myself around this idea that CIOs are very busy, and if they had more time in the day, what would they be doing with it? That’s what I could do for them.

Gamble:  I want to talk about security. It’s something that’s always on everyone’s minds and it’s one of the things that keeps CIOs up at night — anyone can understand why. So I wanted to talk about your strategy there.

Lavely:  I’ve been here two years. We are in the process of enhancing our security program — sort of rewriting it to some degree. When I got here, a new compliance officer started at the same time or really close to when I did, so we spent the first year of both of our time here really looking at what was here and coming together and sort of redistributing responsibilities. And so now where it used to all fall to information systems, it’s now a joint responsibility between compliance and information systems. Really how we sort of draw a line in the sand is that compliance is responsible for audits and policy, and we are responsible for implementing the technologies and enforcing the policy with technology. Between the two of us, we both sit on the incident response team — the two executives or myself and the compliance officer, and we rewrote the protocol and the policy for incident response and communication, all of that.

I think we have a very good process and program as far as that goes, so now we’re taking a look at all of our technology and our overall risk assessment schedules. We recently contracted with a new cyber security vendor who we’re going to outsource ...