Comagine Health CIO Jason Owens used an early crisis to forge an opportunity. In this conversation with Pulse Q&A CMO Ras Gill-Boulos, Owens details how a breach in his early days led to him learning, on the fly, the best way to communicate to the board.
Ras Gill-Boulos: Welcome Jason to Pulse Q&A. I wanted to get a sense of what your company does. What’s the day-to-day like for you?
Jason Owens: Comagine Health was the merging of two companies, formerly HealthInsight and Qualis Health.
HealthInsight was a quality improvement organization. They do a lot of contracting with CMS directly on quality improvement initiatives, both at the CMS as well as the state Medicaid level. Qualis Health’s primary work was in case and care management. A complementary portfolio set, they merged together and we now do a lot of case management in about 12 different states. Mostly in Medicaid and prior authorizations.
We work and live in a very gray area. We’re not a payer and we’re not a provider. I have doctors on staff but I’m not an insurance carrier. I do the prior authorizations for surgeries or procedures or what have you. It’s a very interesting and dynamic area to be in in the healthcare industry.
Gill-Boulos: I feel like American healthcare has all of these different pockets and you’ve got to understand how they work together. Tell us a little bit about how you got to this role and how you got into healthcare, specifically healthcare IT.
Jason Owens: I’ve been in IT pretty much all of my life. I’m a third-generation techie. My dad was the CIO at the Department of Labor. My grandmother, before she retired, was a COBOL programmer.
I’ve been in IT, mostly in project management, for most of my career. I took a detour actually into politics. My Master’s is in public administration and, after doing some work in a local state legislator, I was asked to translate the Medicare Modernization Act of 2005 into IT requirements for Kaiser. That’s how I got into healthcare.
“[P]robably one of the best advice I got from a previous mentor is never let a good emergency go to waste.”
Ras Gill-Boulos: If we circle back, one of the things that you mentioned is that, when you came to a legacy system, you actually had to change all of that. What was that process like? What were some of the challenges there?
Jason Owens: Coming into a legacy system, especially my first CIO role, I guess probably one of the best advice I got from a previous mentor is never let a good emergency go to waste.
On my 31st day at the FQHC, my core went down. It went down hard. All 12 clinics. At the 12 clinics that we had, we did primary care, dental, and behavior health. We were also a teaching facility.
We went hard down on everything. We had no expertise to actually bring it back up. There was no documentation of what my schema was for my IP address schema.
I didn’t have a network diagram to work from. It was a perfect nightmare scenario. No one knew anything because it was all in people’s heads because they had come up through the ranks there. I used it as an opportunity to just say, “If I’m going to create my perfect system, this is an opportunity.”
After I think about 12 months on the job, I completely redesigned the network, as well as migrated their full domain over as well. It was a perfect opportunity, perfect storm. I just didn’t waste the opportunity of the emergency to kind of move things forward.
Gill-Boulos: When you’re up against your board and they ask you, “What is the worst case scenario?” when a breach occurs, how do you prepare for that answer?
Jason Owens: My title currently is CIO as well as CISO. I actually got the CISO chops while I was literally on the job training. We had a breach: a data loss. We lost an unencrypted laptop with 10,000 patient names. Hardcore data.
What I do as a frame of reference is, at that point in time, the employer who I was working for did not have a security operations division. They didn’t have security engineering. They didn’t have a CISO either.
My boss, in his infinite wisdom, saw that I was handling the network operations center. He said, “You got two out of three words.” He gave me the security operations center and said, “Go create it and run it.” That’s when I started my security journey.
“Through project management I had to learn how to communicate with the business…and be able to communicate them in very no nonsense ways outside of tech-speak.”
What I’ve found from that is you need to have an identified framework. I don’t care whether it’s ISO or NIST. Just identify a framework and then work towards it. If you don’t have these frameworks in place, this is what it can cost you. It’s going to cost you exponentially more now because the government DHS doesn’t play around anymore. They don’t care how big you are.
Data is our life at this point in time, especially in healthcare. They are going to come down hard on you regardless because they expect at this point in time everybody has the securities and the policies in place.
Gill-Boulos: What would you tell other CIOs/CISOs in the same position? If they were to go into this meeting, how should they think about it?
Jason Owens: You’ve got to look at it from the business aspect. Because when it comes down to the board, it’s going to come down to dollars and cents. Speak to them in a language of business; which is typically what they understand as opposed to IT-speak.
What I have learned to do is learned to reference. “These are the things that we do as an organization. If we have a breach, we cannot do this number of reviews. This number of people we’re going to have to lay off because it’s going to cost us X millions of dollars to be able to respond to any of these fines.”
Being able to categorize it into language that the board will understand and they always understand dollars and cents.
Gill-Boulos: It seems as if you’re able to straddle both the technology side and the business aspect of it. What’s the key to success there? What can other IT executives in a similar role do?
Jason Owens: I credit a couple of different things. One, I think I was born into the perfect situation. My dad was a techie. My mom was an English teacher. So communication was always huge in my household.
The other component to that was the fact that I spent a lot of time in project management. I didn’t come up through the hardcore technical disciplines to where, I believe, you can become a little bit isolated.
I think as the CIO role has evolved over time–where the CIOs a generation before me all came up through the technical aspect–I came up as an IT generalist. Through project management I had to learn how to communicate with the business–especially from a business requirements perspective–and be able to communicate them in very no nonsense ways outside of tech-speak.
I think that has served me extremely well, in terms of being able to straddle both the IT side and the business. My undergraduate degree is business administration. I probably took a grand total of two computer courses my entire life through high school and college because I was actually more focused on business. I just had a natural aptitude for technology.
Gill-Boulos: We wish you so much luck here from Pulse Q&A and just thank you so much for joining us today.
Jason Owens: Thank you. I appreciate it.