Joining on as CIO of Health Sources Rhode Island in 2013, Sumit Ohri had the daunting task of overseeing major technical hurdles in the midst of one of America’s largest healthcare seachanges. Pulse Q&A spoke to Ohri on the challenges of implementing ‘Obamacare’, outsourcing security and his biggest ‘aha!’ moments on the job.
*This interview has been edited and condensed for clarity.”
Pulse Q&A: Welcome everyone to another AMA. Today we have Sumit Ohri from Health Source Rhode Island. He’s going to be speaking to us from San Jose. Thank you so much for joining us Sumit.
I wanted to start off by just asking a little bit about your background. What sort of path did you take towards becoming CIO of health source?
Ohri: I did my undergrad in Electronics and Communication. I came to the US to do my Masters in Computer Engineering and the first job that I got right after college was more business oriented than tech oriented. That kind of built a foundation for thinking about business goals and objectives and developing a customer focus. . From there I moved on to security consulting helping several organizations setting up their network, IT infrastructure and DevOps environments, helping them secure their assets, information and data to achieve compliance with various federal and state regulations.
There was an opening at the Rhode Island state exchange. They needed somebody to come in and manage the infrastructure, both from the IT side of things, looking at the strategy for it, development across the board, and as well as security. I was brought in to help deliver the exchange platform and compliance with federal and IRS guidelines.
Pulse Q&A: Tell me how you got from this kind of background to Obamacare. You were involved in a very large way in instituting the Affordable Health Care Act at Health Source Rhode Island.
Ohri: They needed somebody who had done startup work, building up up teams and developing strategies from both the IT side and the security side. Luckily, that was my background, building teams within budgets and creating entire security frameworks from scratch.
So that’s the skill set they were looking for. Somebody through their network knew me and they reached out to me. I was a little bit skeptical traveling across the country and doing all that but, after talking to them, the position seemed really interesting and challenging
Pulse Q&A: It sounds like such a big challenge to implement one of the biggest changes in healthcare in the United States. Tell us a little bit about how you approached that.
Ohri: I’ve never stuck to one particular vertical. I have a sort of an experience of going in and hitting the road running, looking at what’s going on understanding the business and then recommending changes if needed. I think that’s one thing that they were looking for. Since this was the first time any state was building such a platform, they were not particularly looking for someone from a niche but someone who can come in and help, bring in the experience from across various industries, and then implement the system using best practices and achieve compliance.
Pulse Q&A: We hear so much in the news about the political ramifications. Looking at it from a from the IT side, what was your view of having to implement the Affordable Health Care Act?
Ohri: First, you have to understand the business, that’s the key. You cannot start implementing right away, you have to understand what the business wants, what their goals are, short term or long term. And if you look at the policies that exist within this whole framework of deploying the Affordable Care Act, it’s extensive. There are so many policies that you have to follow.
I joined in August of 2013. And we had to go live in October 2013. So we had a very short runway. There were some things already in place. The system integrator was in place. They were already developing the system or the platform and had the basic infrastructure around that.
“[T]he first goal is obviously always to listen and to understand what the business wants. What are the existing problems somebody might have?”
First, we had to make sure that we had something in place that was sustainable, that was robust enough, that would not fail once we went live because we were going to head into high web traffic and we were going to have people coming in and applying for the coverage. I think ours was the only platform that did not crash on October 1 across the country. Every platform crashed on October 1 but ours did not.
After that, basically, it was about deploying everything in phases. Once you understand what the business wants, the policies that are affecting, the goal was to basically deploy it out in phases.
Pulse Q&A: Has public perception towards Obamacare had any effect on it implementation over the last three years?
Ohri: A little bit. Ours was a state based exchange. But there’s also a federal election. Initially, when ACA was deployed, some states went with the federal exchange but there were others that went and created their own; like: Rhode Island, California, Connecticut, Washington, DC. All these states have their own platforms.
The perception is all towards the federal exchange. And whatever’s happening on the federal side, people think that that’s going to happen on the state side as well. So that’s something that we have had to battle with since the beginning.
We had to send our messaging across radio and broadcasting, and social media saying that our site is working, please go ahead and apply.
So in the past couple of years, as things have been progressing with this administration and changes that the President has made with the policy of CS, consumers are questioning benefits that have been taken away. We were able to quickly work with our carriers and implement changes to mitigate that. To your point, policies on the federal side change from time to time, mostly in favor of the customers, but it those changes need to take place over a shorter time period, it adds extra pressure on deployment process. Fortunately, we now have a mature SDLC process in place that can handle shorter deployment cycles without compromising on quality of code or the security.
Pulse Q&A: How much of a healthcare background did you need to have for this role?
Ohri: This was fortunately the first time anybody in the country was deploying this. So nobody had the particular skill set to do this in the country. They weren’t looking for a background in healthcare. They were looking for somebody who had experience in diverse industries that can bring in that expertise and deploy and bring in the best industry practices. Learning the business while making deployment and security decisions was challenging but also rewarding.
The CIO role is essentially a captain steering a ship. I had worked in senior management and executive roles prior deploying wide range of projects. So it was really falling back a lot on my experiences and lessons learnt to deliver the framework to the bet of my abilities.
Pulse Q&A: How do you deal with the two roles simultaneously?
Ohri: They can be conflicting at sometimes: dealing with security and dealing with the business.
There are certain times where the business side wants something to happen, without fully understanding the security aspects.In those cases you have to be an innovative thinker, you to think outside the box and reach a happy medium. You have to make sure the solution doesn’t hinder the business, but also doesn’t jeopardize the security of the assets/information that you are trying to secure.
Pulse Q&A: How much of security at Health Sources is outsourced?
Ohri: It’s a good healthy mix. We have put robust processes and procedures in place to make the environment secure. On one hand we have the SI who follows the secure SDLC best practices including rigorous onboarding training in best practices and peer code reviews; on the other we have a third party assessor who constantly pen tests the code before deployment We have our in-house team that reviews the changes being made to the code pre and post pen tests, they review the pen test results and rule out false positives.
We are trying to make our software development lifecycle as secure as possible. We’ve integrated the vendor penetration testing and stuff like that within our SDLC process, to make sure that the code is as secure as it could be before it gets deployed to production.
Pulse Q&A: Does digital transformation mean getting rid of legacy in the healthcare industry?
Ohri: I didn’t have to deal with that, because we were starting from scratch. But I think policies are changing as data is getting shared across health insurance companies and providers. It will definitely be a push to move from the legacy systems to more up to date systems that we can maintain and that are secure as the data gets shared between organizations . Its really important to move out the legacy systems that don’t comply with the best industry standards and make sure that they have something more secure and robust in place.
Pulse Q&A: Any exciting machine learning tools that you use in your line of work?
Ohri: Yes, relating to threat intelligence. We are currently evaluating a few tools on threat intelligence, external and internal. There are a lot of tools that are available that do user behavior analytics. They look at what time does your employee login, what time they log off? What do they do, generally, during those eight hours, or nine hours or 10 hours of work, What resources they are accessing? So those are the tools that we are right now playing with.
Pulse Q&A: What does your first 30/60/90 days look like?
Ohri: Sometimes you don’t get 30/60/90 days. But to the extent possible, the first goal is obviously always to listen and to understand what the business wants. What are the existing problems somebody might have? Then the next phase is essentially interact with your business peers, understand what their business objectives are, understand what assets are there, what are we trying to protect, and what are the ramifications of not protecting these assets.
As a third phase, you can start creating and drilling through your plan, it’s really important that you talk about your plan to your business executives but also to your team, so everybody has sort of the same picture across the organization of what you’re trying to achieve with your plans and how it fits in the big picture. Bring everybody on board and proceed forward.
Pulse Q&A: We have questions from our community about protecting data risk management in the cloud for health care. Any opinions on that?
Ohri: CMS, which is the guiding authority over the healthcare exchanges, they have some mandates and regulations. Initially, they were really stringent about not moving to the cloud. But recently with the security increasing on cloud platforms and the different tools that are available to make the environment secure, CMS has moved their data center over to the cloud. There are a lot of state based exchanges that are looking to move to the cloud after that.
As a healthcare organization we collect a lot of sensitive data like health records, federal tax information and stuff like that to determine eligibility. We need to make sure that this customer data is well protected. As we are coming up to our refresh cycles we are evaluating how best to use the cloud platform, hybrid, private or public. Cloud platform offers a lot of flexibility and cost savings. We might start with a hybrid approach before we fully migrate to the cloud. In addition we are looking at security maturity models for each platform and evaluating what additional infrastructure and resources we might need with each solution.
Pulse Q&A: One final question. I wonder if you could take me back to 2013 when it was all very new and you were learning things on the fly. Was there an ‘aha!’ moment where it all sort of clicked and it all came together?
Ohri: There were times when we were trying to build this platform and there were different people with different opinions.This one time we were all kind of brainstorming and there was a lot of back and forth about what we want to implement. At that point in time, A customer, a small business owner, was part of the advisory board for the exchange and he was evaluating whether to come onto the exchange and offer health insurance through our platform for his employees. The current challenges at that time that he was facing included ease of use, availability and access to the portal. He said something that clicked in everybody’s mind. “This is what needs to happen,” we said as he was explaining his challenges with health insurance,I think everybody had that ‘aha!’ moment.
The biggest ‘aha!’ moment that I had though was when we were migrating our DevOps process from waterfall. to a more streamlined agile and a CI/CD model. Our goal initially was to just cut down the timelines from development to production because there are stark differences between those two models. The ‘aha!’ moment was that, not only were we able to accomplish short timelines, but also streamline our whole DevOps process and making it more secure and robust
Pulse Q&A: Fantastic, that’s a great note to end on. Thank you so much for joining us Sumit.
Ohri: Sure thing.