Are you a covered entity?
Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.
How do you know if you have or are a CE? If some department or division within your organization is a healthcare provider, a health plan or a healthcare clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), healthcare clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.
Are you in compliance?
If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.
In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?
I suspect what often happens is that executives look at something like information security policy requirements and say:
This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.
What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.
Trust but verify
There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.
Extend HIPAA to your enterprise
If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that that level while also getting compliant with federal law.
Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted, good practices.
Develop your policy with the HIPAA Security Rule
There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.
The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).
The security standards in HIPAA are broken down into three sections, each of which has multiple layers and sub components:
- Administrative Safeguards (9 components)
- Physical Safeguards (4 components)
- Technical Safeguards (5 components)
These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.
Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.
These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.
1. Find out where your organization stands in terms of information security policies and procedures.
2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?
3. Meet with your IG committee to discuss your findings.
4. If you don’t have an IG committee — start one!
5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.
6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintain continuous improvement.
7. Begin building a culture of security in your organization.
We’ll continue the discussion next week, so check back then.
This article first appeared in cio.com at http://www.cio.com/article/3188667/governance/hipaa-as-an-umbrella-for-countymunicipal-cybersecurity.html
© Copyright Jeffrey Morgan, 2017by
The cybersecurity risk to local government
Weak or nonexistent cybersecurity programs represent a massive organizational risk to county and municipal government agencies in the United States. County and municipal executives are often unaware of these risks because they assume that their IT Director, CIO, or an external vendor is managing security and addressing the risks. It is rare that such an assumption is correct.
While the Ponemon Institute[i] found that “federal organizations have a stronger cybersecurity posture than state and local organizations,” the Brookings Institute[ii] concluded that “the vast majority of public agencies lack a clear cybersecurity plan.” Much of the available research is based on small samples and I believe that these studies may understate the scope of the problem. Based on my 23 years of working with public sector organizations, I can state with confidence that most lack any cybersecurity plans at all.
Your job as a municipal executive is to provide leadership and management in order to get the big picture right throughout your organization. What follows is advice on how to ensure that an appropriate cybersecurity program is established and functional in your organization. I recommend that you, the municipal executive, assume high-level responsibility for cybersecurity oversight. You don’t need to know the technical details, but you must know whether or not the appropriate frameworks, infrastructure, policies and procedures are in place and working correctly.
The need for information security is as old as civilization and possibly as old as life on earth. Information Security (Infosec) was invented to protect the first secret – whenever and whatever that was. Infosec is not solely a human artifact — my Great Dane always felt the need to maintain security concerning the location of his favorite bones and dead woodchucks. Techniques, methods and models for protecting information haven’t changed all that much and the methods of cybersecurity are largely based on models for protecting physical information.
Information Security refers to the discipline and processes to protect the confidentiality, integrity and availability of all your information regardless of form. Cybersecurity is a subset of information security and applies to digital data. In this article, I may use them interchangeably even though they are not, but counties and municipalities need an Infosec plan that includes cybersecurity.
Municipal data – a pot of gold
County and municipal networks are treasure chests overflowing with priceless gems. Mortgage documents, deeds, births, deaths, ugly divorces, medical records, social security numbers, and military discharge documents are among the many types of publicly accessible documents that may contain PII (Personally Identifiable Information), PHI (Protected Health Information), or other sensitive information. Constituents turn over all this information naively assuming that you are doing everything in your power to protect it from theft and misuse. Are you a worthy steward of this treasure?
Root causes and obstacles
Let’s discuss eight of many root causes of failure to establish appropriate information security programs in local government organizations. Subsequently, we’ll move on to a methodical, practical approach you can initiate immediately to improve your cybersecurity posture.
“A lack of skilled personnel is a challenge at both federal and state and local organizations.”[iii] One problem is that many public sector IT Directors and CIO’s don’t have the knowledge, training and background to plan and deliver acceptable, standard’s based comprehensive information security programs. They are often unaware of widely accepted standards, guidelines and frameworks that are readily available, so cybersecurity planning is often amateur and homebrewed. Moreover, HR and hiring managers often don’t understand the required skills[iv] and look for the wrong people.
The largest municipal agencies may employ a CISO (Chief Information Security Officer) but the vast majority of public sector organizations do not have a dedicated information security executive and staff, nor should they necessarily require one.
IT staff members are rarely trained in or even familiar with relevant statutory compliance requirements. I have come to expect a deer in the headlights look from public sector CIO’s and IT staff when inquiring about security policies, privacy policies and other matters of security and compliance. Questions about HIPAA Security Rule compliance, for instance, are almost always met with “What’s that?”
A jumble of regulations
Municipal organizations may have dozens of departments, divisions, or lines of business with varying regulatory requirements from numerous federal and state agencies. Municipal governments do a lot. They may be involved in building bridges, managing traffic signals, providing water, waste, electric and sewer services, supervising elections and recording deeds while providing physical and mental health services and dental care.
A typical County government may have to comply with regulations like HIPAA[v] (Health Insurance Portability and Accountability Act) and 42 CFR[vi] while also complying with policies from CJIS[vii] (Criminal Justice Information Systems) in addition to compliance with state regulations from organizations such as an Office of Mental Health, or Department of Health. Additional requirements for records management from State Archives agencies add to those complexities and often contradict other regulatory requirements.
Departments with vastly different information security and regulatory compliance requirements often coexist on a shared network where the security posture is designed for the lowest common denominator rather than for the highest. Often, municipal IT staff members don’t have clearly defined policies and procedures for reviewing information such as security logs and system events. Even if they do record these events, their stance is usually reactive rather than proactive.
Silos and turf wars
Counties and municipalities may have highly distributed management structures which function as silos rather than as a cohesive team. In some states, the silos may be a “feature” of constitutional government where elected officials manage some departments and may not be accountable to central executives. One result of this is that a county executive, and consequently County IT, may not have global control of IT and information security because other elected officials choose not to cooperate. Some real world examples I have seen include:
- County Judges and their staff members refuse to sign and abide by acceptable use policies.
- County Sheriffs refusing to cooperate with an IT security audit claiming their security policy and processes are “secret.”
- Social Services commissioners unilaterally declaring that HIPAA regulations don’t apply to their operations.
Silos in organizations create massive gaps in security management. When multiple parties are responsible for security, no one is responsible.
Most security problems are internal
90% of breaches occur because of an internal mistake[viii] and 60% of breaches are a result of internal attacks[ix]. Unfortunately, county and municipal information security programs often treat outside threats as 100% of the problem rather than focusing on more probable internal threats.
Insufficient budget is often used as an excuse for low quality IT services and lack of security in public sector organizations. It’s usually a red herring. In my experience, there is no correlation between budget and quality in the public sector. I have seen small, low-budget organizations build excellent security programs and have also seen large organizations with eight-figure tech budgets fail to establish even the most elementary components of an information security program. A cybersecurity program will cost money, but it doesn’t have to bust your budget.
In local government, critical management positions are often filled based on political considerations rather than quality of candidates. Expertise in information security should be a major component in your CIO’s toolkit.
Tech versus strategic thinking
If you think in terms of technology, stop it! I am always a little suspicious of industry professionals who fall in love with a particular technology. Technology is rapidly replaced or superseded so think strategically instead. There is no such thing as a technology problem; there are only business problems. Identify and solve for the business problem and the appropriate technical solution will reveal itself.
Start with Information Governance (IG)
What’s the first step in establishing your cybersecurity program? It has nothing to do with cybersecurity.
Information Security and cybersecurity must be components of your overarching Information Governance (IG) Program, overseen by an interdisciplinary team with executive support. Treating cybersecurity as a standalone program outside of the context of your organization’s information universe will produce a narrow approach. Do you currently have an IG program?
I can hear some grumbling right now. “Jeff, when do we get to the important stuff?”
IG is the important stuff. There are no silver bullets. There are no miracle pills that will address your information security requirements. No miraculous hardware or software will magically keep your information safe unless you have the right policies in place. There is some real work to do here and the P-things are the most effective tools to pack for your InfoSec journey. You will develop these from your IG Program:
Policies Processes Procedures
What is information governance?
I like Robert Smallwood’s succinct definition of Information Governance: “security, control and optimization of information.“[x] In order to develop sound InfoSec and cybersecurity programs, you must know what you are protecting and why you are protecting it. The purpose of the IG program is to map, understand and manage your entire information universe. The map you create will serve as the foundation for your information security programs.
In a municipal government organization, an IG committee may include legal, HR, records management, IT, finance, and auditors, as well as other departments. Let’s say your municipality has a public health clinic, recorder of deeds, personnel/payroll and a sheriff. This means you have medical records, prisoner health records, recorded 911 calls, police reports, mortgage documents, confidential personnel records, payroll records, social security numbers and a lot more. The people with special knowledge about the nature and disposition of all this information must be on your committee.
In some organizations, information and security policy is developed at the whim of the CIO or IT Director. Is that IT Director expert in statutory requirements and industry best practices for all the areas mentioned above? I doubt it. This is why you need a cross-functional team to map the universe and make a comprehensive plan.
Establishing a comprehensive information security program
Once you have begun building your IG foundation and framework, your Infosec and cybersecurity requirements will be much clearer. Also, IG, Infosec, and Cybersecurity are not one-time activities. They require a process for continuous improvement like PDCA (Plan, Do, Check, Act) or DMAIC (Define, Measure, Analyze, Improve, Control). Get something in place first, and then continue to improve it. Attempting to get it perfect from the start will only result in implementation delays. This job never ends but it gets much easier once a solid foundation has been built.
Information Security Management Systems (ISMS), Frameworks and Standards
Once you have a comprehensive understanding of your information universe, develop security policies and programs for implementation and enforcement of those policies.
Use an existing framework. Designing comprehensive information security programs is more complicated than installing firewalls and anti-virus software and there is a great deal to think about.
There are many freely available information security tools in addition to standards and frameworks that require payment or membership in an organization. You can build a successful security program using only free tools, but my crystal ball is on the fritz today so I can’t see which tool is best for your organization. I wish I could tell you there is a one-stop shop, but there isn’t. You will have to evaluate your situation, do the research and make informed decisions about the best approach for your organization. Following is a brief discussion of some of them.
The National Institute of Standards and Technology (NIST) provides an enormous quantity of information and the gateway to it is available here. NIST’s Framework for Improving Critical Infrastructure Cybersecurity is available here and a new draft was release in January of 2017. Their Cybersecurity Framework Workshop starts on May 16, 2017 in Gaithersburg, MD if you would like to attend and learn more about it. You can also view a webcast with an overview of the Framework. In their words, “The core of the framework was designed to cover the entire breadth of cybersecurity . . . across cyber, physical, and personnel.“[xi]
NIST also provides three Special Publication (SP) series: SP800 deals with Computer Security, SP1800 contains Cybersecurity Practice Guides, and SP500 covers Computer Systems Technology.
SP800-53, Security and Privacy Controls for Federal Information Systems and Organizations will likely be an essential part of your planning process if you are building upon NIST.
If a division of your public sector organization provides clinical services, it might fit the definition of a covered entity (CE). If so, that division is required to comply with applicable federal regulations including the HIPAA Security Rule. The regulation provides a clear, jargon-free framework for developing information security policies and programs. While it won’t address all the requirements for a municipal cybersecurity program, it can help you build a solid foundation for your security programs. I don’t have any official data on HIPAA Security Rule compliance in municipal organizations, but my personal experience is that it is extremely low. Is your CE compliant? If not, why not bring your entire organization up to HIPAA standards?
I have worked extensively with HIPAA regulations and NIST products for nearly 2 decades and I like them a lot. If they are not a good fit for your organization, there are other resources, including the following three.
The Information Security Forum (ISF) publishes the Standard of Good Practice for Information Security, available free to ISF members.
The International Organization for Standardization (ISO) publishes the ISO/IEC 27000 family of standards for Information security management systems. ISO products are not inexpensive, but in the overall scheme of things you might find them to be a reasonable investment. Organizations can certify through accredited registrars, which can also be an expensive process.
ISACA publishes COBIT5, “the leading framework for the governance and management of enterprise IT” which provides an integrated information security framework as part of a larger IT governance framework. According to Joseph Granneman, “It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.”[xii]
The role of vendors
Trusted vendors can be helpful in building your programs, but overreliance on vendors for security advice is a suboptimal approach. While they may be knowledgeable about many aspects of your industry, only you and your cross-functional IG team truly understand your business requirements. Their job is to “sell you stuff” but they will generally draw the line at writing policy and taking responsibility for overall information security in your organization. If there is a major breach or some other catastrophic security event in your organization that becomes public, you are the one whose picture will be in the paper.
Summary – one step at a time
Take a few simple steps to improving your cybersecurity infrastructure:
- Establish an IG committee and program.
- Discover and map your information universe.
- Establish an information security framework and security policy.
- Develop and implement your cybersecurity plan, based on the above.
- Use a cycle of continuous improvement.
This article first appeared in two parts in my CIO.COM column at:
A continuation of the subject appeared in:
References, Resources and Further Reading
Four critical challenges to state and local government cybersecurity efforts. Government Technology. July 17, 2015.
The need for greater focus on the cybersecurity challenges facing small and midsize businesses. Commissioner Luis A. Aguilar, October 19, 2015. US Securities and Exchange Commission.
How state governments are addressing cybersecurity. Brookings Institution. Gregory Dawson and Kevin C. Desouza. March 2015.
Four critical challenges to state and local government cybersecurity efforts. Government Technology. July 17, 2015.
Human error is to blame for most breaches. Cybersecuritytrend.com.
[i] The state of cybersecurity in local, state and federal government. Ponemon Institute. October 2015.
[ii] The vast majority of the government lacks clear cybersecurity plans. Brookings Institution. February 3, 2015. Kevin C. Desouza and Kena Fedorschak.
[ix] The biggest cybersecurity threats are inside your company. Harvard Business Review. Marc van Zadelhoff. September 19, 2016.
[xii] IT security frameworks and standards: Choosing the right one. Joseph Granneman, Techtarget.com. September 2013.
If you found this information useful, or would like to discuss cybersecurity in your organization in more detail, please feel free to e-mail me at firstname.lastname@example.org. I would be glad to discuss your situation.
This article first appeared in cio.com at http://www.cio.com/article/3184618/government-use-of-it/county-and-municipal-cybersecurity-part-1.html
© Copyright Jeffrey Morgan, 2017by
Data, facts and interpretation
Are managers and employees on your team comfortable with absolute truth and honesty? Are your organizational processes and management decisions transparent? Can you and your team discuss data, facts and interpretation without anyone’s hair catching on fire? I am not talking about ad hominem attacks, although members of an organization may take the presentation of facts personally. I am talking about the ability to rationally and objectively discuss subjects such as performance, weaknesses and failure in order to find solutions.
Will you shoot the messenger?
Naked Truth and Brutal Honesty are my two most valued employees. Clients sometimes ask for them by name, but they accompany me on every engagement regardless of whether or not they were invited. Don’t worry — there is no extra charge for them.
Over the years, one or two clients have not appreciated their input and we’ve all been summarily dismissed. Oh, well. Who needs those kinds of clients, anyway? Honesty and truth are essential components of the “whole package” comprising personal integrity. If you are willing to mold the truth for a fee, you lack the critical firmware package that also includes ethics and morality.
We worry about artificial intelligence, and we should. If A.I. eventually turns out to be made of the same malleable moral and ethical clay as the natural intelligence possessed by humans, we’ll be in big trouble when A.I. finally breaks out of its nursery. Sometimes, it’s not even a matter of ethics or morality. We often can’t recognize truth when it’s flashing furiously right in front of our eyes. Why should we expect better of machines?
Can facts be offensive?
One time I offended one member of a group by calling them all troglodytes because of their antiquated and inefficient business processes. I said it in an affable, humorous sort of way, but it was on the West Coast! What can I say?
However, I have often had hard pushback from organizational management when presenting straight facts such as, “Your organization lacks statutorily required privacy and security policies including X, Y and Z.” You can put a copy of the law right in front of them and they will still engage in virulent refutation.
You can’t handle the truth
In the consulting business, one is often asked to provide assessments. Most of us try to keep it real, but let’s face it — bogus assessments didn’t disappear when Arthur Andersen LLP was buried in 2002. Smashing through the granite wall of denial that is a cultural characteristic of many organizations can be a Herculean task, and sometimes one has to accept failure when the wall proves to be impenetrable. Observing the nature of denial is both fascinating and frustrating, and it is sad to watch otherwise intelligent people explode in an angry burst of denial when you attempt show them that 2+2=4.
One wonders why organizations so often contract assessments and then completely reject not only the conclusions but the facts. Arthur Andersen the person (1885-1947) lived by motto “Think straight, talk straight,” but such behavior is not a part of the culture of most organizations I have encountered. When it came to audits, Andersen believed that the “responsibility was to investors, not their clients’ management.” Had his company continued to embrace that philosophy after his death, it would likely still be in business.
Honesty and transparency are essential foundations of sound management. At investment management firm Bridgewater Associates, for instance, brutal honesty is a workplace requirement. Sadly, in most organizations, the pursuit of truth is neither familiar nor welcome. Bridgewater is governed by a set of “Principles” compiled by founder Ray Dalio. In an online presentation of the principles, Dalio instructs the reader, “When digesting each principle, please… ask yourself: Is it true?” Truth is always the best starting point.
Is it true?
My best teachers and professors all taught me to relentlessly ask that question about everything. I recall one graduate seminar where we went through some pretty lengthy scholarly works dissecting every sentence. It was a brutal exercise. What I learned is that a great deal of what was considered to be definitive and scholarly was questionable or sometimes just flat out wrong once it was closely examined.
Consensus is not proof
The traps of lazy thinking, false assumptions and groupthink are permanently set and perfectly positioned to capture us. In spite of decades of training, I still have to consciously avoid being snared by them. Conventional Wisdom and Consensus have no place in business, science or public policy but they often control and dominate the conversation.
In 1980, the consensus among physicians was that “stress and lifestyle factors were the major causes of peptic ulcer disease.” Barry J. Marshall and Robin Warren discovered in 1982 that the actual cause was Helicobacter pylori. They were initially ridiculed, but were awarded a Nobel Prize for their discovery in 2005. There is an extensive history of ideas that bucked consensus. When consensus rather than fact is presented as evidence, we should be skeptical and demand proof.
Equivocation, rationalization and justification seem to be acceptable management tools in too many private- and public-sector entities. Honesty shouldn’t be considered “brutal,” and it is only thought to be so because we so rarely encounter it in its natural form. Introducing honesty and naked truth to your organization might be a great goal for 2017.
This article first appeared on cio.com at http://www.cio.com/article/3162094/leadership-management/is-naked-truth-part-of-your-business-model.html
© Copyright Jeffrey Morgan, 2017by
In 1987, I was in the army and stationed at Camp Red Cloud in the Republic of Korea. One weekend morning, I had to track down a colleague whom I knew to be shacking up with one of the bar girls from our favorite hangout in Uijeongbu (의정부시). We’ll call him Sgt. Bob and we’ll call her Miss Kim. They were both really nice people and made a cute couple. Miss Kim answered the door and WHOOOAAA! Holy Cow! 아이고! I had only seen her at night, in a dimly lit dive bar wearing a kilo of makeup. The person who opened the apartment door that morning was much different in appearance.
I was reminded of that experience recently when I read the project charter for a troubled and failing software implementation. If bogus management mumbo jumbo actually got projects done, this undertaking would have been a fantastic success rather than drowning eight figures deep under water.
Beautiful planning documents
The project documentation was elaborate and beautiful. In 30 years of working on some pretty big projects, I have neither seen nor produced anything so impressive. It was all right out of PMBOK (the Project Management Body of Knowledge) and included all the pretentious, pseudo-business jargon one expects from graduates of third-rate business schools.
Discussing the project with management in the rarified environment of the C-suite, I could see all the butterflies, unicorns and balloons the executives were describing. They made it clear that any problems with the project were someone else’s fault. In the raw light of day, though, without the management makeover, the project started to look a lot more like Miss Kim did that Sunday morning.
Had this been a private-sector project, the PM and a couple of the executives would have been forced to change their LinkedIn headlines to “seeking new opportunities.” In the public sector, depending upon the organization, you can screw up big-time and generally still keep your six-figure job. You might even get promoted!
No one involved in the grossly overstaffed and overbudget project had a clear vision of what the final product was supposed to look like or how it should function. As things continued to go wrong, more money and more unqualified people were thrown at the problems. There were no quality control mechanisms in place, and no one was really accountable for anything. It was all overseen and managed by people with PMP certifications. Typical public-sector IT, really. Firing the entire team was certainly advisable and justified, and many organizations would have taken that approach.
One problem was that the people leading the project really believed they had the required skills and knowledge, in spite of all the evidence to the contrary. After all, they had official-looking pieces of paper that said they were certified to manage projects. They thought they were brilliant managers and no one had ever told them anything different.
Do you think the $2.14 billion Affordable Care Act website was an anomaly? Nope! In smaller county and municipal government organizations, six- and seven-figure IT disasters aren’t uncommon. In larger municipalities and counties, eight-figure FUBARs aren’t rare. Once you get the state and federal level, the disasters can easily hit nine figures and the losses frequently end up buried in unmarked graves. Taxpayers rarely hear about these massive failures. The culprits get to keep their jobs and end up with generous defined-benefit retirements.
Twenty years ago, one tech industry crisis was the “Paper MCSE” — someone with a Microsoft certification who had never touched a server. Project management seems to be in a similar crisis now. It seems that everyone is a PMP. One government project I have been following has received a few hundred million dollars in federal grant money, and they have been hiring lots of PMPs. All of them appear to be 12 or 13 years old, so I’m not clear on how they met the experience requirements for the certification.
Failure and the truth about management
One essential management skill not taught as part of the PMP or any other certification is recognizing and managing failure. The ability to identify failure, call it and transition to the success track is rare. In order to do that, one has to be able to say:
“I was wrong!
I managed that poorly!
I see where I went wrong and I will do it better next time.”
This almost never happens, especially in the public sector. Give it try. Practice saying it if it doesn’t come naturally. Familiarity with failure is a big part of success.
Unfortunately, ensuring the success of complex projects requires more than the creation of cool-looking documentation and checking off boxes as recommended in a handbook. Management of a complex project and a horde of stakeholders and vendors isn’t something you learn in a 35-hour class, and passing a multiple-choice test proves nothing about your ability to do it. If you have no idea what you’re doing, and no idea what you are trying to achieve, no methodology or framework will save you. One can’t just stick pins in a doll and expect something magical to happen.
This article was first published on cio.com at http://www.cio.com/article/3159118/project-management/voodoo-project-management.html
© Copyright Jeffrey Morgan, 2017by
Free Download – County and Municipal Cybersecurity Whitepaper:
Birdie’s front leg was broken in two places when I found him on the side of a dirt road just three days after the 2008 election. I knew he was a sign of one sort or another — a guardian angel in the form of an English Shepherd.
I boosted him into the back seat of my car and took him directly to my vet. He had been abandoned; apparently part of the huge pet dumping that was one result of the 2008 financial crisis. When I brought him home, my wife immediately threatened divorce, but that saga wouldn’t really begin for another 18 months or so.
Driving back and forth to Penn State with Birdie in the back seat, my son and I watched one manifestation of the financial crisis play out in slow motion. What were once numerous, prosperous car lots became spooky, empty, and deserted over the first two years of my son’s college experience. By the time he was a junior, almost every car dealer on the five-hour round trip had gone out of business. Remember ARRA, cash for clunkers, shovel-ready jobs, and other dubious programs of the time?
A few months after I adopted Birdie, my mother was diagnosed with Melanoma. She was 79 but would probably have lived a few more years had she been diagnosed sooner. This was all happening during the debate over the Affordable Care Act. Maybe debate is the wrong word. It was more like a violent assault that has left us all with an incurable STD.
Our first protest
My mother passed away at home in the summer of 2009 and a few months later, my youngest daughter and I went to our first protest in Washington on September 12. I had never before been interested in attending such an event, but the arrogance, petulance and condescension on display at the White House made me determined to show my support for the resistance. It was exciting to peacefully demonstrate with hundreds of thousands other Americans. Unfortunately, that was one of the few peaceful protests of the last 8 years.
The ACA, and virtually everything else to come from the administration over the last 8 years have been disasters in every way. Problems that required careful engineering and a screwdriver to fix were instead addressed with jackhammers and explosives by dishonest, sleazy politicians with bad intent.
A triple bypass
In 2010, while the stitches that held my marriage together were rapidly dissolving, my father required a triple bypass. The outcome of that medical emergency was a great success. The whole family was home for the Thanksgiving holiday and at the hospital when my father woke up from an attempt to put in a stent. The doctor explained that he had to have surgery immediately, because he “might not survive a trip to the parking lot.” My father asked, “Can I think about it for a couple of weeks?” It was a 10 days before he was able to leave the hospital again, but he is still going strong at 87.
2011 ushered in a couple of horrific years of brutal divorce litigation that became a full-time job. There was even an additional year of litigation after the divorce was final! My children were all adults and vanished into the military and the divorce became final at the end of Obama’s first term.
My whole life had changed radically and catastrophically during Obama’s first term and would continue to change rapidly in the second, but Birdie was still watching over me.
At the end of the rainbow
I met my new wife just as my divorce was finalized and started working with her soon after the inauguration in 2013. I was instantly captivated and smitten. She is my pot of gold at the end of the rainbow and the most valuable treasure on the planet. It was during that time that the truth about Benghazi began to emerge.
It is difficult for me not to associate the upheaval in my own life with what has happened in the political arena during the last eight years as new political outrages seemed to pop out before the last ones were finished. We are currently stuck with a high U6 unemployment rate of 9.20%, historically low GDP growth, and racial and cultural divisions that have been significantly exacerbated by the President. Instead of Hope and Change, we got an angry, bitter demagogue with the worst case of Narcissistic Personality Disorder ever seen.
My wife and I have been living in a bubble on the longest honeymoon ever during the last couple of years, so I have been less aware of the outrages coming out of Washington. However, I am optimistic about the next eight years in my personal life and I am at least hopeful about the next 8 years for the country.
Birdie is still with me, too. He is deaf, has cataracts, and his bladder is considerably weaker than it was just a few short years ago. He sleeps almost all the time now and snores loudly. He and I are both looking forward to getting off Mr. Toad’s Wild Ride.
Thank God these eight years are almost over! In spite of the good things that have happened to me personally, the negative impact of the last 8 years will haunt the country for years and maybe decades to come.
Goodbye to all that, good riddance and let’s hope the next 8 years are more fruitful for everyone.
© Copyright Jeffrey Morgan, 2016by
IT projects versus business projects. Confusing the two is more common than you think…and the results are often disastrous. Unfortunately, most stakeholders –managers, end users and IT professionals alike – frequently fail to understand the distinction.
What type of project is this?
I recently sent an SOW (statement of work) to a potential client proposing assistance with a complex business process project – an EHR (electronic health records) implementation that was off track. The client pasted a summary of my offering in an e-mail and sent it to a colleague in the IT Infrastructure business, apparently seeking a better price. My colleague immediately realized this was not in his bailiwick and he forwarded the e-mail to me! Questionable business ethics on the client’s part notwithstanding, the client was fortunate that my colleague apprehended the nature of the project and understood that none of his staff members were qualified to perform the services.
A less ethical vendor would have been happy to dispatch an employee to run up billable hours without having any idea of how to identify and resolve the underlying causes. Industry-specific workflow, regulatory requirements, and complex reporting are not typically part of the toolkit of IT Infrastructure professionals. Customers are sometimes unable to understand this concept. The way they see it:
Software not meeting business needs? Call IT
The truth that their problems are of a business process nature rather than technical is not immediately apparent to many end users and managers. Some immediately see the difference between process issues and technical ones as self-evident, others grasp it quickly with some explanation, and a few never understand the difference no matter how much explanation one provides. Technology should never be applied until all the processes are completely understood, but I have encountered plenty of CIOs and other professionals who are unable to comprehend this.
Enter the business analyst
Many organizations now employ “business analysts” to create a bridge between IT and business lines. It is a great concept, but sometimes these folks are just techs with a slightly better wardrobe. When they use words like paradigm and leverage, it’s a dead giveaway that they’re faking it. The same goes for consultants.
Something I have seen a few times is a troop of business analysts, IT managers, and project managers scratching their heads, wondering why their eight-figure project is grossly over-budget yet performing so poorly. Often, these people have been working for the organization for years but can’t answer basic questions about processes, quality assurance, compliance and workflow. I have this old fashioned notion – in return for a cushy six-figure salary, one should be able to answer these sorts of questions.
What exactly is an IT project?
Is ERP (enterprise resource planning) procurement and implementation an IT Project? How about an ERMS (electronic records management system) or a public safety CAD (computer aided dispatch) system?
In my opinion, these are clearly not IT projects. IT should be involved to the extent that they provide a platform, infrastructure and ensure compliance with organizational standards, but getting IT involved with issues of design and workflow can lead to a disaster.
How about a VoIP system? That’s slightly more complicated, but the features and functionality of such a system have a significant impact on end users. Without user input when developing requirements, it is unlikely that the system will fully meet the customer’s business requirements.
Is network infrastructure an IT project? If there actually were such a thing as an IT project, network infrastructure might just be such a project. However, there are only business projects. Even infrastructure projects must address the needs of the business as defined by the users who execute the processes.
Leave IT to the experts
There is a paternalistic tendency of many in our industry to say “We know what you need. Leave it to the experts.” The finest managers, consultants and analysts I have observed are Socratic in their methods. They assume nothing and ask questions rather than make pronouncements. Assuming they know what users need is certainly one of the deadly sins of IT Directors and CIOs.
A philosophical approach is especially important when organizational managers insist on asking the wrong questions. One example is where the management asks “Which ERP should we buy?” rather than asking “What should our business processes look like?” The first question depends on a priori assumptions and is likely to lead to a suboptimal solution or an outright failure. Pursuing the second question with a disciplined approach is likely to produce significant improvements in business operations, but it requires a great deal more work.
Product vs. process
The notion that a product will magically solve business problems is as popular as it is preposterous. One can’t blame vendors for marketing their product as the prescription for all business ills, but one can blame managers and CIOs for believing such hogwash. This tends to be the most difficult conversation I have with clients. They want to buy a product, as if it is a simple choice between a Subaru and a Toyota. What they don’t want to hear is: “We need to take a close look at all your business processes and evaluate your assumptions,” but this is what should occur before evaluating software.
It’s not about IT and not about buying a product. It’s all about your business processes. Focus on business processes and when the time comes to apply technology, you’ll get it right.
© Copyright Jeffrey Morgan, 2016
This article first appeared on CIO.COM at http://www.cio.com/article/3128242/leadership-management/on-the-nature-of-it-projects.htmlby
Tell me about your processes
“I hope you’re not going to show me a bunch of flowcharts. At the last place I worked, they flowcharted everything.” Thus spoke a client in a consultation about his troubled EHR (electronic health records) project. It wasn’t difficult to figure out where the project went off track; it was doomed from the beginning.
My inner Jeff Lebowski wanted to shout, “Dude! You didn’t map your processes. No wonder your EHR doesn’t work.” Process mapping should have taken place long before my client began discussions with vendors. The RFP should have included process maps so the bidding vendors would have had a clear understanding of what they were required to build.
Map your processes!
Let’s take a look at a high-level process diagram for an outpatient behavioral health clinic. This is one possible workflow map, but every organization is different. The level of detail your mapping reaches depends on your business requirements, but it is reasonable to contemplate and document field-level requirements before beginning your procurement process. For instance, do you need a field that identifies whether a client contact was by phone or in-person? If you don’t proactively account for every component, it may be too late for an optimal solution once implementation has begun.
My wife has been looking for a pair of red shoes for three years. Not just any red shoes — they must meet very specific requirements. They must have high heels and pointy toes, they must be comfortable enough to wear all day, and they should be a specific shade of red leather. They must also match clothing already in her wardrobe. Brand doesn’t matter, and the ideal price would be in the low-medium three-figures. She has designed them in her mind, but she hasn’t been able to find them in a store yet. Shoes are a big deal, so it’s a complicated process.
Shopping for enterprise software isn’t so different from getting the perfect pair of red shoes. Envision what the ideal software application will look like before you even begin shopping, and design it together with your team. Evaluate and document all the processes from initial client contact through discharge. What happens at every step? What are the inputs and outputs for each process? Do you need a screen that replicates a face sheet? What does a billable progress note look like, and how will it link to the practice management (PM) system? What will all the reports and other outputs look like? Does it have to interface with existing applications and processes?
At a minimum, your “design” team should consist of clinicians, billing professionals, other subject matter experts and possibly legal counsel. Depending on how your applications are supported, you might want to invite IT. However, allowing IT to manage the design and process mapping is a big mistake since they are unlikely to understand the clinical nature of the project.
Does this all sound expensive and time-consuming? I can assure you that a failed EHR implementation is far more expensive. Eight- and nine-figure failures are not unusual, and years can be wasted until organizations are willing to say uncle and admit they got it wrong.
Plan to maximize revenue
Another critical exercise is the development of a catalog of services aligned with both customers and payers. For instance, if the majority of your clients are covered under Medicaid, the services offered should align with how Medicaid pays for those services. Unless you are in the charity business, you can’t afford to offer services for which you will not be paid.
Many organizations are able to significantly increase revenue and decrease denials by carefully evaluating their business processes at this stage.
How will staffing be affected by your new system? You may need more or less staff, or may need different skills once your new system is in place.
Plan for quality and compliance
Quality assurance (QA) and regulatory compliance must be built into the system at the design/conceptual stage. We learned from W.E. Deming that it is too late to build quality into a product once the plans are partly in place. Therefore, compliance, QA, and privacy and security must be considered at the design/process mapping phase.
Root causes of failure
Success with an EHR or any other type of enterprise project is neither accidental nor mysterious. One root cause of EHR project failure is invariably failure to understand and account for organizational business processes. Hubris is another root cause of project failure, and the vast majority of the time — 94%, according to Deming — these sorts of failures are failures of management. The crisis of management is not a mystery either, and Harvard Business Review provides a good discussion on the subject.
Don’t fear the flowchart!
© Copyright Jeffrey Morgan, 2016
This article first appeared on cio.com at: http://www.cio.com/article/3138958/software/heres-why-your-ehr-doesnt-work.htmlby
May I see your comprehensive security policy please?
Huh? What’s that?
Lack of compliance with the HIPAA security standards is common in county and municipal government agencies even though many of these organizations have covered entities (CE) under their umbrellas. For some reason, almost everyone got the memo on required compliance with HIPAA privacy rules in 2003, but many organizations missed the subsequent memo on required compliance with security rules by April of 2005.
Nearly 14 years have passed since the security rule was published, and I have no explanation for the compliance lacuna that exists today. If you are an executive, manager or provide IT services for a CE, your security policy should be as well-worn as your kids’ Harry Potter books.
If someone (i.e. an auditor) asks about your compliance program, you should be able to succinctly summarize it and immediately provide documentation of your compliance activities. If this doesn’t describe your organization, you are not alone and there is no time like to present to begin the process.
Compliance isn’t a one-time, passive event and there are routine steps you must take ensure the CIA (confidentiality, integrity and availability) of your clients’ protected health information (PHI).
Denial and disbelief
Denial and disbelief are the first two stumbling blocks I encounter when informing managers in government agencies that they are not in compliance with HIPAA. Sickening yellow clouds of realization dawn over a period of several weeks while I continue to email copies of the Code of Federal Regulations (CFR) to the relevant parties. The attorney is generally the first to comprehend the magnitude of the situation.
Holistic information security
I talk about security policies rather than HIPAA policies. Something that is also common in municipal government is a lack of information security policies based on some generally accepted standard or framework for information security. You can and should address HIPAA security requirements and your overarching organizational information security requirements together.
Form a governance committee
Developing your security policy isn’t an IT project; it is part of an Information Governance program. A cross-functional team including representation from several organizational entities must be part of the process for developing your information security policies. Here are the roles I generally request to be part of the policy development team:
1. Executive owner
4. Information technology
5. Line of business units
6. Records management
7. Risk management, privacy and information security officer roles (Many municipal governments do not employ these functional roles, but they will once they have developed their policy).
Read the regulations!
I am a big believer in always working from primary sources. I encourage you to embark upon your HIPAA journey by reading the full text of the regulations. In the table below, I have hyperlinked them for your convenience. When I write policies for clients, I work directly from the regulation with their policy or governance committee so that everyone understands the process and the final result. Even so, clients will often argue about something that is projected on the wall right in front of them. I link every client policy to the corresponding HIPAA requirement.
Primary sources for compliance – educate yourself
|HIPAA Privacy Rule||45 CFR Parts 160 and 164 Standards for Privacy of Individually Identifiable Health Information.||Final Rule – December 28, 2000|
|HIPAA Security Rule||45 CFR Parts 160, 162, 164.||Final Rule – February 2003|
|HIPAA Combined Regulation Text||HIPAA Administrative Simplification.||Unofficial version amended through March 2013 combining the privacy and security rules.|
|HITECH Act Enforcement||HITECH Act interim final rule includes penalties for non-compliance.||October 30, 2009|
|NIST Special Publication 800-53||Security and Privacy Controls for Federal Information Systems and Organizations||Revision 4, April 2013|
|Privacy Rule Resources||HHS.GOV resources|
|Guide to Privacy and Security of Electronic Health Information||Office of National Coordinator for Health Information Technology||Version 2.0 April 2015|
|NIST HIPAA Security Rule Toolkit||Downloads and tools from NIST for assessment, etc.|
|NIST Special Publication 800-66||An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule||October 2008|
|Security Risk Assessment Tool||HealthIT.Gov||Executable tool – paper copy available too.|
In a previous article on the subject, I provided a sample, high-level compliance matrix for a security policy aligned with HIPAA.
Vendors often market products as being “HIPAA compliant.” If you have read the regulations above, you now know that there is no such thing. The HIPAA security rule is technology-neutral, and any reference to compliance would be to your organization’s policy rather than to the rule itself.
Get to work!
If you are now nauseous because you realize that you are not even remotely in compliance, that’s a good thing. Use that feeling to quickly get to work to protect your organizational information assets.
© Copyright Jeffrey Morgan, 2016
This article firs appeared on CIO.COM at http://www.cio.com/article/3134484/government/may-i-see-your-comprehensive-security-policy-please.htmlby
A client recently made a statement to me that roughly translated as I am concerned about the high cost of doing a quality job. Wow! Talk about not understanding the impact of quality. The organization was hemorrhaging from the consequences of low-quality work in a major software implementation. One of several root causes of that situation was a complete lack of quality management in the software build.
Unfortunately, they were contemplating the same ineffective approach the second time around. It was as if their failure had been caused by some mysterious external factor rather than poor management. If an enterprise software implementation is a disaster the first time around, using the same management approach will produce the very same outcome every time thereafter. Quality must be envisioned and planned from inception. “Once the plans are part way in place, it is too late to build quality into a product.” (Deming, W. Edwards. Out of the Crisis (p. 212). The MIT Press. Kindle Edition.)
High-quality work is expensive, but you only pay for it once. Low-quality work is unaffordable, because your organization will pay the price forever.
Quality is universal and interdisciplinary
I found my first really good piano teacher when I was 16 and the fundamentals of quality I learned from her still resonate intensely nearly 40 years later. I have yet to master and live up to the standards she taught me in the late 1970s. Over the ensuing years, I learned a great deal from many other fine teachers and mentors, but none instilled in me the work ethic and pursuit of perfection that Bella did.
Bella had been a student of Isabelle Vengerova at the Curtis Institute of Music along with many of the finest musicians of the 20th century. Every week for several years, Bella and Max (her English bulldog) put me through a grueling workout that included a devastating blend of castigation, insults and humiliation. In our second lesson, she told me, “My god, I do believe that is the worst thing I have ever heard.”
I kept going back for more because the value received was far greater than the pain inflicted. She was a chain-smoker and bore a striking resemblance to Max — they were both adorable. Neither she nor Max were proponents of the namby pamby, “I’m OK, you’re OK” coaching and management style that rules today’s world. I had to work my ass off to get a minuscule compliment, and her brutal honesty toughened me up considerably.
Bella taught her students to seek perfection by relentlessly focusing on fundamentals while adhering to the highest standards of quality. “It’s not what you play; it’s how well you play it” she taught.
Most of the managers I encounter could learn a great deal from Bella’s approach to quality management, but only if they could learn to tolerate brutal honesty and the deep introspection that it should trigger. Too much management is based on quantity rather than quality.
Consequences for delivering poor quality
A while back, I had a contract with a generally well-managed company that was 300% over budget on its ERP implementation. The executive team quickly grasped the root cause of this problem: The CIO had championed the project, established business requirements, and managed the implementation. It was his responsibility to ensure that quality goals were met. That company believed in accountability so the CIO decided it was time to retire.
Quality is inclusive
One of the things I like about an agile approach for business process and software development is the inclusion of end users from the very beginning. Agile recognizes that quality is defined by the customer rather than by specifications. Customer-centric quality control is built into the process.
End user participation and input is absolutely essential to creation and validation of quality during the process of building a system, whether it is a commercial product or custom-developed software. Some of you are probably saying, “Jeff, that’s self-evident. Everyone already knows this.”
Unfortunately, everyone does not. Every major enterprise project failure I have studied over the last 20 years has largely excluded end users from the development and quality validation processes. The application was dumped on the plate of the end user with an attitude that said Here it is; you had better like it. In those failed projects, quality was defined by a developer or by managers who would never use the product. Consequently, there is a direct correlation between project failure and exclusion of end users, at least in my experience.
In many of these failures, a traditional project management approach had also been used. Maybe the result was due to the practitioners rather than the approach, though. There is no reason why one can’t modify a waterfall project management approach to include end user quality validation. The only thing likely to get in the way is the ego of the project manager.
Quality creates a chain reaction
I have seen the results of brilliant quality management in many organizations. Outstanding quality is visible when you walk in the door, and you can hear it through a phone in the voice of a receptionist. Every employee in the organization radiates excellence, and the entire organization is just wet and dripping with exceptional quality. One organization that immediately comes to mind is the Memorial Sloan Kettering Cancer Center in Manhattan, but many organizations do it fantastically well.
When you do it right, the quest for quality becomes part of your organizational culture. You can implement quality in your department, but you’ll find it easier if you have executive support.
Improvement of quality transfers waste of man-hours and of machine-time into the manufacture of good product and better service. The result is a chain reaction — lower costs, better competitive position, happier people on the job, jobs, and more jobs.(Deming, W. Edwards. Out of the Crisis (p. 2). The MIT Press. Kindle Edition.)
How about your organization? Is it slick and shiny with quality? Or dingy and rundown like a barracks in a Soviet gulag?
If you would like to read more about quality, try the following works:
Out of the Crisis, by W. Edwards Deming.
Managerial Breakthrough, by Joseph M. Juran.
© Copyright Jeffrey Morgan, 2016
This article first appeared on CIO.COM at http://www.cio.com/article/3131977/leadership-management/we-cant-afford-quality.htmlby