Dissecting Digital Health — with Theresa Meadows
Nurse, clinical informatician, healthcare CIO, cybersecurity expert and someone who has the ear of senior players in the Health and Human Services department of the US government. Theresa Meadows’ career path has always had at its core, wanting to give back to the community, to do her part to improve the care people have available to them and its quality. She believes healthcare cybersecurity is a patient safety issue.
This is the full transcript of the podcast Dissecting Digital Health with Dr Louise Schaper, interview with Theresa Meadows, Senior Vice President CIO at Cook Children’s Health Care System & Co-Chair of The Health Care Industry Cybersecurity Task Force of the US Department of Health and Human Services.
Guest: Theresa Meadows, Health Care Industry Cybersecurity Task Force
Host: Dr Louise Schaper, HISA
Tweet Louise @louise_schaper Tweet Theresa @tzmeadows
Production: This podcast is produced by Ivan Juric
Show Notes
[2:33] Opening remarks by Dr Louise Schaper.
[02:51] Today’s guest, Theresa Meadows, introduces herself and like many we’ve interviewed in health informatics, Theresa has more than one role in her professional life.
[3:14] Louise asks Theresa about her background as a nurse and experience especially as a female nurse who is now head of a CyberSecurity Task Force. Theresa shares her experience as a woman in health IT and her unexpected change in careers. Louise enquires about her story of career transition and Theresa talks about a temporary project she was given as a nurse, that led her to where she is today.
[06:43] The two begin discussing the absence of women in the field, and the benefits that women bring to healthcare IT. Louise brings up the very social aspect of informatics that deals with problem solving more than with technology. Theresa agrees and talks about the shift happening in the field through this discovery.
[10:29] Louise digs deeper into the evolution of security and Theresa’s need to protect patients through her role. Theresa reflects on the purpose of her career in the big picture, to protect, but also to allow the people she’s helping to reach their full potential in life.
[12:28] Louise asks Theresa if she has met Obama yet, which has Theresa diving into the diverse kinds of stakeholders she’s worked with, including white hat hackers. Theresa talks about the purpose in security being more focused on recovery than prevention.
[14:24] Louise has Theresa share more about the task force and the outcomes that they are aiming to deliver. Theresa outlines the main goals, from identifying best practices to developing a risk matrix.
[16:27] Theresa shares that the role is voluntary and that the team is small. She talks about their goals to come up with recommendations and findings in a way that other initiatives can take them further. She also tells Louise about getting input from public blogs on the website as a way to make practical and implementable recommendations.
Louise closes the conversation by having Theresa share any advice and encouragement for nurses to dive into healthcare IT. Theresa encourages nurses and women to be risk takers, rather than be so concerned with knowing about something thoroughly before taking part. Finally, Louise asks Theresa to also share what success means to her in her career, to which Theresa reflects on what is most fulfilling about her role.
[21:25] Closing remarks
Full Transcript
Opening Remarks by Dr Louise Schaper
[02:33] Louise: Well thank you today for joining me today out in podcast-land for Dissecting Digital Health. I’m your host, Louise Schaper, and I’m broadcasting from the HIC Conference in Melbourne, and we have an illustrious keynote speaker who has agreed to chat with us today on the podcast. Guest, who are you?
Today’s guest, Theresa Meadows, introduces herself and like many we’ve interviewed in health informatics, Theresa has more than one role in her professional life.
[02:51] Theresa: Hi, I’m Theresa Meadows. I’m the Chief Information Officer for Cook Children’s in Fort Worth, Texas, but I’m also the co-chair of the Health and Human Services Cyber Security Task Force, so two jobs.
[03:02] Louise: So does that come with a pair of like, aviator sunglasses? [laughter]
[03:05] Theresa: Something really cool?…it’d be really nice.
[03:07] Louise: So it doesn’t?
[03:08] Theresa: No.
[03:09] Louise: Alright, maybe we should write to Obama and just say “look, we’ve just got a suggestion..”
[03:12] Theresa: Absolutely.
Louise asks Theresa about her background as a nurse and experience especially as a female nurse who is now head of a CyberSecurity Task Force. Theresa shares her experience as a woman in health IT and her unexpected change in careers. Louise enquires about her story of career transition and Theresa talks about a temporary project she was given as a nurse, that led her to where she is today.
[03:14] Louise: Alright, where should we start? Because I really wanted to have a chat with you, because you trained as a nurse — is that right?
[03:20] Theresa: That’s correct, yes.
[03:21] Louise: Yeah. So you’re a female nurse — not so rare, but a female nurse who has become a CIO and is now the head of a Cyber Security Task Force set up by the Obama administration. There’s probably not that many of you around, I’d imagine?
[03:35] Theresa: I think last night at dinner someone said, “you’re a unicorn!” [laughter] I am somewhat of a unicorn, I think. It’s very rare to a woman in healthcare IT, but two,
to be a nurse and really lead a large organisation from an IT perspective is very rare, and it’s been a great honour and a challenge,
and not something I had ever thought would happen over the course of my career, so it’s been a really great experience.
[04:01] Louise: So what did you plan?
[04:03] Theresa: You know, I’m not much of a planner, so when I went to nursing school, I thought I wanted to be a nurse — an anaesthetist — and actually, I went to one class in the operating room and hated it so much that I thought, “okay, I don’t know what I’m going to do now.” So I just planned to be a nurse and take care of patients, and help the community and help the population. It’s amazing how things change over the course of your career, without expecting it.
[04:29] Louise: Yeah, well did you want to be a nurse when you were younger?
[04:32] Theresa: I did. I did want to be a nurse, my whole career I wanted to do something in healthcare. I grew up in a really small town in rural Alabama and so there wasn’t a lot of healthcare available, and so I always wanted to do something where I could give back to the community. So that was really — I thought that would be the easiest, best way to do that, but very little forethought on what I would do after that, for sure [laughter].
[04:54] Louise: What was the transition? So, you’re working as a nurse, and how did you get more interested and involved in the IT component?
[05:03] Theresa: It’s really interesting. In 1995-ish, the hospital where I was working — it was a large university hospital, about 900 beds — was going to implement physician order entry, and they thought the best way to engage the physicians was to have nurses be their support systems, so be their trainers, work with them on building their documentation, order sets, and so they just recruited nurses off the nursing units with no experience. We rarely had computers on our nursing units at that time. Our head nurse manager said to me, “Oh, Theresa, you’re good with doctors. Would you like to learn something new?” and she said, “It’ll be a two-year project. You’ll work on the project and then come back to the floor and resume your nursing responsibilities”. I was really young then, so I thought, “No weekends, no nights, no holidays? I think I could learn something new!” [laughter] So really, it wasn’t about I wanted to get into technology and that was something I wanted to do. My whole thought process was, “Wow, a little break…that would be nice.”
I worked cardiac transplants, so it was a very stressful — psychological stressful — nursing job, and so I thought, “That would be a good break, and then I’ll come back and do what I do”, but I didn’t know that IT projects are never over.
[06:16] Louise: So you never went back?
[06:18] Theresa: I never went back — it’s the gift that keeps giving, right, from an IT perspective, and so I just did various projects after that, did some consulting, worked for some software vendors, but the hospital environment is really where I love the most. I love being close to the patients and working with the doctors and nurses, so I just kind of made a plan to get back into that in whatever role I could. So, that’s kind of the story, but it’s been a really interesting career change.
The two begin discussing the absence of women in the field, and the benefits that women bring to healthcare IT. Louise brings up the very social aspect of informatics that deals with problem solving more than with technology. Theresa agrees and talks about the shift happening in the field through this discovery.
[06:43] Louise: And how do you find being a female in the role as well, because like we said, and in Australia as well, I know them all by name [laughter] — there’s not that many.
[06:53] Theresa: Yeah, it’s evolved over time. I think there’s a lot more women in this role now than there ever has been before, but I do find it to be a unique challenge because you bring a different —
at least the women that I’ve worked with bring different perspective, you know, we think of things from more of a process, more of an emotional standpoint, and how do we build relationships through the process, which I think has been key to a lot of successful IT implementations.
[07:15] Louise: Absolutely.
[07:16] Theresa: It’s really less about the technology than the relationships we build and foster through that process and the communication, and so I think we build a totally different perspective. We don’t talk as much about technology but focus on how do you want to use that technology? What purpose does it provide? Which, when we meet with our counterparts, they’re like, “Why are you starting with that? Don’t you want to know what the technical part is?” Well yeah, eventually we get there, right? It’s just a different perspective.
[07:40] Louise: Yeah, it’s an interesting idea that — you know,
if you look at the theory of informatics and the practice of informatics, it is understanding that it’s not about technology for technology’s sake. It’s about utilising the best solutions for the problems that we’re trying to solve,
and with that sociotechnical perspective, an informatician wouldn’t necessarily start with that anyway, but to actually — I’m thinking aloud here, but to look at it from a gender perspective, that is a way that women tend to generally communicate, as well. I wonder if there’s a selling point to more women getting involved in technology, and especially technology in healthcare.
[08:25] Theresa: You know, I think over time the perspective the CIO brings is much different. It used to be a very technology focused role, and now technology’s important, but it’s really about how do you actually deploy technology and be successful, because
it’s more about the process and the relationship and how it fits in, versus it being the primary aspect, and so we’re expected to know a lot more about the business, and less about the technology,
which is a very interesting shift than what we had in the past. It was more about okay, what functionality does this provide, and now its about well what am I trying to solve, and working through the problem versus starting with the technology piece, which is critical, but not the most important piece at the end of the day.
[09:09] Louise: Yep, and you’ve seen that evolution throughout your career?
[09:11] Theresa: I have. Before, early on in my career, it was like, “Well, you’re not technical enough to do this job,” and so I’ve really fought that stigma of, “Well, you’re a nurse, you’re a clinician, but you’re not technical, so why would we want you in the role of the technical leader?” I know enough to be dangerous in most cases, but I think that’s just one component. I don’t need to know every bit and bite of how something works to know if we’re going to be successful, because nine times out of ten it’s about adoption and how people feel about it, and less about the technology, and so I’ve had to work my way through that stigma of how do you lead an organisation and you’re not from a technical background, you didn’t go to MIT, you didn’t do these things, and so it’s been an interesting evolution. When I took this job, they weren’t looking for someone who was technical, they were looking for a communicator, someone who builds bridges, those types of things, so it was a really good fit for me. I’m surrounded by smart, technical minds, which is very helpful — never doubt how much importance that brings, but having those people who can help you is critical.
[10:20] Louise: Absolutely. I mean, I think that’s the success of all team building, isn’t it? Just surround yourself with people who are smarter than you.
[10:26] Theresa: Absolutely [laughter].
Louise digs deeper into the evolution of security and Theresa’s need to protect patients through her role. Theresa reflects on the purpose of her career in the big picture, to protect, but also to allow the people she’s helping to reach their full potential in life.
[10:29] Louise: What about your interest in cybersecurity? How did that evolve?
[10:33] Theresa: You know, it’s interesting. When I started with the organisation I am in now, with children, I’ve always been in adult healthcare, so being at a pediatric institution, as we — as healthcare has become a major topic, it struck me that I have to protect the kids, and the best way to do that is to get more engaged and more involved, and so when the cybersecurity opportunity became available, I thought, you know, that’s something I’d really like to get involved in, because again,
it’s about educating our leadership about how important security actually is, but on the other hand making sure data is available to take care of the patient, so it’s a delicate balance between being very secure and having nothing happen, and not letting terrible things happen because of cybersecurity
It’s things we’ve never had to worry about, and I just have had an interest in that throughout my whole career, but now it’s something that I think about a lot. At night I think about, “Okay, how am I going to prevent the next bad thing from happening?” Before, I just had to worry about privacy and security around HIPAA and some of those types of things, and now it’s so much more — it’s more than that. I worry less about HIPAA, and HIPAA violations than I do about some hacker or some other bad person wanting to hack into your network for bad reasons, not for just the patient data itself.
[11:52] Louise: That’s interesting. I’m just going to repeat it back to you,as I don’t even know if you realised you said it, but at the start of your answer, you said it was about protecting children — and again, I don’t think that there would be many people who would have jumped at that as their first response. Was that conscious?
[12:08] Theresa: I don’t know if it was conscious. That’s just my mentality is always like the patient first, so
everything we do is to protect that patient, whether it’s from a safety perspective, and to make them better and successful in life,
and so I don’t know if that was conscious or not. That’s a good question — I have to think about that!
Louise asks Theresa if she has met Obama yet, which has Theresa diving into the diverse kinds of stakeholders she’s worked with, including white hat hackers. Theresa talks about the purpose in security being more focused on recovery than prevention.
[12:28] Louise: Yeah. So, have you met President Obama?
[12:30] Theresa: I have not, I would love to.
[12:32] Louise: Oh bummer… come on, you’ve got the job title.
[12:34] Theresa: I would love to. I’ve met a lot of people from Health and Human Services — that’s the group that we’re working with, primarily, and they’ve paired us up with a lot of smart people from Homeland Security and Health and Human Services and a lot of the divisions within other industries, so finance and banking and some of those to learn about ways to protect ourselves from security challenges. But, the best part has been working with all of the industry stakeholders from a healthcare perspective. So, the medical device manufacturers, the software manufacturers, other healthcare organisations. We have a couple of white hat hackers on the group, that’s very interesting and scary at the same time.
[13:15] Louise: Well actually, can you tell us, for people listening who don’t know what a white hat hacker is.
[13:19] Theresa: A white hat hacker is somebody who hacks for good and not for bad, to help learn about what are our vulnerabilities from a security standpoint, and so having those guys who are very technical hack into systems to tell you were you could have issues or could have a compromise is very interesting, but also very scary [laughter].
[13:38] Louise: Better to come from someone you know [laughter].
[13:40] Theresa: Yeah, at least it’s not somebody bad who’s trying to take advantage of you, but to help you understand where you could make improvements, or just to have plans in place to mitigate an issue, because
with security, I don’t think you could ever prevent everything, because people are constantly developing ways to do something different. It’s really about how do you recover when those things happen, and how do you make plans in place so you recover as quickly as possible and don’t harm anybody in the process.
I think that’s one of the things our task force is looking at: what are some of the best practices that people should have in place? Because you’re not going to be able to prevent 100% of technical issues. There’s a lot of smart technical people in the world who look for ways to do mean things and bad things.
Louise has Theresa share more about the task force and the outcomes that they are aiming to deliver. Theresa outlines the main goals, from identifying best practices to developing a risk matrix.
[14:24] Louise: Yes, unfortunately that’s the case. Well, what are you able to say about the task force that you’re a part of, and what are the outcomes you’ve been tasked with delivering?
[14:35] Theresa: Yeah, so one is just to evaluate some of the best practices in other industries and see if there’s any transfer of knowledge between those industries and healthcare. Our second task is really to develop a risk-matrix that shows the security risks that are across all the subsectors of healthcare, because if you look at healthcare, it’s not just hospitals and doctors offices, it’s health plans, it’s medical device manufacturers, it’s laboratories and pharmaceutical companies. There’s a lot of shared security risk across all of those things. A good example is a pharmaceutical manufacturer could be hacked and alter the make-up of a drug, that then wouldn’t take care of the patient as well as possible. So, we’re looking at all the risk and we’re looking at ways that are common across all of those subsectors, and we’re putting together a recommendations framework of how to implement some of those best practices. Because it’s important, for large organisations,
it’s easier to implement best practices than it is the one doc practice, or the 25-bed hospital, and so we want to make sure things are transferable across all of those levels.
And then, the other big task is around information sharing on cyber security issues. Today, if I have a cyber security issue at my facility, I may not tell anybody else for fear of retribution or an audit…
[15:52] Louise: You mean outside?
[15:53] Theresa: Yes, outside of our organisation. I will try to keep it as closed as possible, just so I don’t have any other issues, and so we’d like to put in a framework where people can actually share their cybersecurity risks and issues, so if they identify something it can be easily shared so people know what to do and can expect it and can act on it through one of the best practices. So, we’re about five months into the task force, and we only have a year, so it’s a pretty lofty goal for what we have to try to accomplish, and we only have 20 members of the task force.
Theresa shares that the role is voluntary and that the team is small. She talks about their goals to come up with recommendations and findings in a way that other initiatives can take them further. She also tells Louise about getting input from public blogs on the website as a way to make practical and implementable recommendations.
[16:27] Louise: And it’s all, I guess, voluntary, and you’ve still got your full-time jobs?
[16:30] Theresa: Pretty much, yeah, voluntary. 200 people requested to be on the task force and 20 made it.
[16:37] Louise: And you’re the chair!
[16:38] Theresa: And I’m the chair. I always say don’t take a cruise when they’re deciding these things, because I was on a cruise ship when they called.
[16:42] Louise: Oh, you’re kidding!
[16:43] Theresa: They said, “Would you like to be the chair?” and I’m like, “How did that happen?” [laughter] So never take a cruise. But, it’s a great honour to do that. I’m working with some really wonderful, smart people, and I think we’re going to produce some really good work product, but a year’s a really short time.
[16:59] Louise: It is a very short time.
[17:00] Theresa: So, we’re not expected to have anything implemented, just some recommendations and findings so another task force could take those and implement them, or HHS could implement them, depending on what we come up with.
[17:13] Louise: And I’m sure there will be a lot of people in Australia actually looking at the website to see what — I don’t know whether you’ll know yet, but what will be made public as well, because I find — and that’s one of the reasons we put cybersecurity front and centre on the agenda for this conference, was — to be honest, it was me, because I see my Twitter feed, and my inbox, every day I get stuff out of the states talking about cybersecurity concerns, and in Australia it certainly, it is not — I mean, obviously there are organisations that would get hacked and everything and there’s ransomware, I know of a few organisations — but no one’s writing about it, no one’s talking about it, the government just now — some people you’ll meet while you’re here in Australia — the government has set up an organisation called “The Australian Digital Health Agency,” and one arm, or one aspect of what they’re going to be looking at is cybersecurity, which is really good, so they’re probably going to want to pick your brains too, while you’re here.
[18:12 Theresa: Absolutely, and we’re going to be posting, and there’s going to be blogs on the website and things, because we’re trying to gather as much information from the public as possible, and so
we want people to post to the blogs, we’ll ask questions on the blogs, because we want to make sure the recommendations that we’re making are doable.
There’s nothing worse than having a bunch of recommendations that nobody can implement.
[18:30] Louise: Yeah, they’ve got to be practical.
[18:31] Theresa: They’ve got to be practical and something that people can accomplish, and so we’re worried that we’re going to make recommendations and somebody will go, “Well how stupid is that? They didn’t consider X,” right? So, we’re hoping that the public forum around our blog and some of those things will allow people to ask questions and post, “Did you think of this?” or “Did you think of that?” because there’s so many aspects that we could miss something, and so we’re very concerned will we miss something that was very important to someone?
[18:59] Louise: We’ll be staying tuned to that, and actually, just for those in podcast-land, when we put this podcast up online, I’ll actually put a link to the site as well, so you don’t have to go to Google to find it. We’ll make it very easy for you.
Louise closes the conversation by having Theresa share any advice and encouragement for nurses to dive into healthcare IT. Theresa encourages nurses and women to be risk takers, rather than be so concerned with knowing about something thoroughly before taking part. Finally, Louise asks Theresa to also share what success means to her in her career, to which Theresa reflects on what is most fulfilling about her role.
Just a couple of quick questions as we wrap up, and I think I’ve got too many more, so maybe we’ll chat again another time. For the first one, anyway, so what about — so again, just getting back to the earlier conversations about your beginnings as a humble nurse and getting into IT, and then now chairing this task force, what advice would you have for other nurses that might be listening that aren’t really sure about all of this stuff, but how do we tempt them to put their toe in the water and have a go at it?
[19:41] Theresa: You know, I always say to people, at least what I’ve experienced is people are always worried about knowing 100% of what they’re going to do before they do it, and I always say take a risk, because had I not taken a risk 20 years ago, 25 years ago — I’m losing count — I may still be a nurse on the floor. I mean, I jumped into something that I really knew very little about, trusted that my organisation would educate me and not let me fail, and so sometimes just taking a risk, because I think a lot of people want to plan everything out in detail. So I would say,
sign up for things that you don’t know 100%. I don’t think anybody has any expectation that you know every detail of everything, every day. We only have that of ourselves, right? So, take a risk.
That would be the number one thing I would tell nurses and females in general.
[20:30] Louise: Oh, I love that, thank you. And what about yourself? What does success look like for you? So, when you look back at your career, or even now, or in the future, what’s going to make you really happy to know that you achieved or contributed to?
[20:42] Theresa: You know, I think being on the Cyber Security Task Force is definitely one of them. I think my viewpoint is very different than a lot of people on that task force, because I’m really interested in how we put process and policies in place that people can actually implement. I’m very excited about that, and I’m also very excited about just accomplishing the CIO role. I think that was something I wanted to do. And working and being mentors to other people, because I wouldn’t be in this role if I didn’t have good mentors, and so I think just doing those things, I would say yes, I’ve been successful in my career, but I’m always open for new adventures, too.
[21:20] Louise: Yeah, yeah, we’ll catch up in another ten years and we’ll see where we all are [laughter].
[21:23] Theresa: We’ll see. Absolutely [laughter].
Closing Remarks
[21:25] Louise: Well, thanks so much for joining us today on Dissecting Digital Health. Thanks Theresa and enjoy the rest of the HIC conference!
[21:29] Theresa: I will. Thank you very much!
[21:31] Louise: Thank you!
Contact Us
Suggest a guest via dissectingdigitalhealth‘AT’gmail.com
Want to learn more about digital health and health informatics — join HISA: Australia’s Digital Health Community www.hisa.org.au
