healthcarereimagined

By KIRSTEN ERRICKSEPTEMBER 30, 2022

The Government Accountability Office report found that agencies failed to disclose approximately $31 billion in fiscal year 2021 investments under the two layers of the Technology Business Management framework that were required.

The Office of Management and Budget and General Services Administration have taken steps to implement and facilitate governmentwide adoption of the Technology Business Management framework, however, more work could be done to further this effort, according to a Government Accountability Office report released Thursday.

The government began to implement the Technology Business Management framework in 2017 to help agencies manage their IT resources. The framework is an accounting standard for how agencies spend their budgets on IT. It is organized into four layers—and categories and subcategories within those layers—that are designed to show an organization’s total IT spending from different angles: cost, consumption and performance. TBM includes standard categories that agencies must use in their annual IT budget requests. These categories group related IT expenses together to allow for more insight into the cost and values of IT resources and allow for governmentwide IT spending comparisons. 

The government’s TBM policy currently only requires agencies to report IT spending in two of the four layers: cost pools and IT towers. As a result, GAO stated that “OMB currently requires agencies to implement half of this framework,” despite OMB launching the governmentwide adoption of the Technology Business Management Council’s framework just over five years ago.

GAO noted that agencies are currently not required to include the remaining two layers—products and services, and business units and capabilities—as well as the subcategories in each of the four layers. 

The watchdog added that while OMB and GSA initially helped agencies implement TBM, they have not performed an agency maturity assessment on these efforts, nor have they analyzed the quality of the currently reported data. GAO also found that, although OMB and GSA released agency data for layers 1 and 2, they failed to disclose that approximately $31 billion in fiscal year 2021 investments were not included. OMB and GSA have also not analyzed inconsistencies in fiscal year 2022 data or addressed benchmarking to allow for spending comparisons between similar organizations by either size or mission.

“OMB and GSA officials maintain that Technology Business Management implementation continues to be a priority,” GAO said. “Nevertheless, until OMB establishes documented plans and agency expectations for the remainder of the taxonomy, uncertainty will cloud agency efforts.” 

GAO made seven recommendations to OMB and GSA. 

The watchdog recommended that OMB direct the federal chief information officer to: 

• Create plans and a time frame for governmentwide TBM adoption for the remaining elements of the framework.
• Work with GSA to build a maturity assessment of agencies’ implementation of TBM.
• Require agencies to submit complete TBM maturity model assessments to OMB and GSA.
• Publicly disclose known limitations in TBM data for fiscal year 2021 on the IT dashboard.
• Analyze agency-reported TBM data discrepancies with IT portfolio spending data. 

Additionally, GAO recommended that OMB’s Office of Federal Financial Management and its Budget Review Division work with GSA’s TBM program management office to determine the proper next steps for updating budget object classification codes in a way that better aligns agencies’ financial management systems with the classification of TBM. 

GAO also recommended that GSA instruct the director of IT data transparency at the Office of Governmentwide Policy to develop TBM benchmarking functions for the IT Dashboard.

Article link: https://www.nextgov.com/it-modernization/2022/09/it-spend-reporting-requirements-still-stuck-halfway-point-watchdog-finds/377916/

• Emma Seppälä
• Kim Cameron

December 01, 2015

Too many companies bet on having a cut-throat, high-pressure, take-no-prisoners culture to drive their financial success.

But a large and growing body of research on positive organizational psychology demonstrates that not only is a cut-throat environment harmful to productivity over time, but that a positive environment will lead to dramatic benefits for employers, employees, and the bottom line.

Although there’s an assumption that stress and pressure push employees to perform more, better, and faster, what cutthroat organizations fail to recognize is the hidden costs incurred.

First, health care expenditures at high-pressure companies are nearly 50% greater than at other organizations. The American Psychological Association estimates that more than $500 billion is siphoned off from the U.S. economy because of workplace stress, and 550 million workdays are lost each year due to stress on the job. Sixty percent to 80% of workplace accidents are attributed to stress, and it’s estimated that more than 80% of doctor visits are due to stress. Workplace stress has been linked to health problems ranging from metabolic syndrome to cardiovascular disease and mortality.

The stress of belonging to hierarchies itself is linked to disease and death. One study showed that, the lower someone’s rank in a hierarchy, the higher their chances of cardiovascular disease and death from heart attacks. In a large-scale study of over 3,000 employees conducted by Anna Nyberg at the Karolinska Institute, results showed a strong link between leadership behavior and heart disease in employees. Stress-producing bosses are literally bad for the heart.

INSIGHT CENTER

• How to Be a Company That Employees LoveIt takes a careful mix of mission, management, and culture.

Second is the cost of disengagement. While a cut-throat environment and a culture of fear can ensure engagement (and sometimes even excitement) for some time, research suggests that the inevitable stress it creates will likely lead to disengagement over the long term. Engagement in work — which is associated with feeling valued, secure, supported, and respected — is generally negatively associated with a high-stress, cut-throat culture.

And disengagement is costly. In studies by the Queens School of Business and by the Gallup Organization, disengaged workers had 37% higher absenteeism, 49% more accidents, and 60% more errors and defects. In organizations with low employee engagement scores, they experienced 18% lower productivity, 16% lower profitability, 37% lower job growth, and 65% lower share price over time. Importantly, businesses with highly engaged employees enjoyed 100% more job applications.

Lack of loyalty is a third cost. Research shows that workplace stress leads to an increase of almost 50% in voluntary turnover. People go on the job market, decline promotions, or resign. And the turnover costs associated with recruiting, training, lowered productivity, lost expertise, and so forth, are significant. The Center for American Progress estimatesthat replacing a single employee costs approximately 20% of that employee’s salary.

For these reasons, many companies have established a wide variety of perks from working from home to office gyms. However, these companies still fail to take into account the research. A Gallup poll showed that, even when workplaces offered benefits such as flextime and work-from-home opportunities, engagement predicted wellbeing above and beyond anything else. Employees prefer workplace wellbeing to material benefits.

Wellbeing comes from one place, and one place only — a positive culture.

Creating a positive and healthy culture for your team rests on a few major principles. Our own research (see here and here) on the qualities of a positive workplace culture boils down to six essential characteristics:

• Caring for, being interested in, and maintaining responsibility for colleagues as friends.
• Providing support for one another, including offering kindness and compassion when others are struggling.
• Avoiding blame and forgive mistakes.
• Inspiring one another at work.
• Emphasizing the meaningfulness of the work.
• Treating one another with respect, gratitude, trust, and integrity.

As a boss, how can you foster these principles? The research points to four steps to try:

1. Foster social connections. A large number of empirical studies confirm that positive social connections at work produce highly desirable results. For example, people get sick less often, recover twice as fast from surgery, experience less depression, learn faster and remember longer, tolerate pain and discomfort better, display more mental acuity, and perform better on the job. Conversely, research by Sarah Pressman at the University of California, Irvine, found that the probability of dying early is 20% higher for obese people, 30% higher for excessive drinkers, 50% higher for smokers, but a whopping 70% higher for people with poor social relationships. Toxic, stress-filled workplaces affect social relationships and, consequently, life expectancy.

2. Show empathy. As a boss, you have a huge impact on how your employees feel. A telling brain-imaging study found that, when employees recalled a boss that had been unkind or un-empathic, they showed increased activation in areas of the brain associated with avoidance and negative emotion while the opposite was true when they recalled an empathic boss. Moreover, Jane Dutton and her colleagues in the CompassionLab at the University of Michigan suggest that leaders who demonstrate compassion toward employees foster individual and collective resilience in challenging times. 

3. Go out of your way to help.Ever had a manager or mentor who took a lot of trouble to help you when he or she did not have to? Chances are you have remained loyal to that person to this day.  Jonathan Haidt at New York University’s Stern School of Business shows in his research that when leaders are not just fair but self-sacrificing, their employees are actually moved and inspired to become more loyal and committed themselves. As a consequence, they are more likely to go out of their way to be helpful and friendly to other employees, thus creating a self-reinforcing cycle. Daan Van Knippenberg of Rotterdam School of Management shows that employees of self-sacrificing leaders are more cooperative because they trust their leaders more. They are also more productive and see their leaders as more effective and charismatic.

4. Encourage people to talk to you – especially about their problems. Not surprisingly, trusting that the leader has your best interests at heart improves employee performance. Employees feel safe rather than fearful and, as research by Amy Edmondson of Harvard demonstrates in her work on psychological safety, a culture of safety i.e. in which leaders are inclusive, humble, and encourage their staff to speak up or ask for help, leads to better learning and performance outcomes. Rather than creating a culture of fear of negative consequences, feeling safe in the workplace helps encourage the spirit of experimentation so critical for innovation. Kamal Birdi of Sheffield University has shownthat empowerment, when coupled with good training and teamwork, leads to superior performance outcomes whereas a range of efficient manufacturing and operations practices do not.

When you know a leader is committed to operating from a set of values based on interpersonal kindness, he or she sets the tone for the entire organization. In Give and Take, Wharton professor Adam Grant demonstrates that leader kindness and generosity are strong predictors of team and organizational effectiveness. Whereas harsh work climates are linked to poorer employee health, the opposite is true of positive work climates where employees tend to have lower heart rates and blood pressure as well as a stronger immune systems. A positive work climate also leads to a positive workplace culture which, again, boosts commitment, engagement, and performance. Happier employees make for not only a more congenial workplace but for improved customer service. As a consequence, a happy and caring culture at work not only improves employee well-being and productivity but also improved client health outcomes and satisfaction.

In sum, a positive workplace is more successful over time because it increases positive emotions and well-being. This, in turn, improves people’s relationships with each other and amplifies their abilities and their creativity. It buffers against negative experiences such as stress, thus improving employees’ ability to bounce back from challenges and difficulties while bolstering their health. And, it attracts employees, making them more loyal to the leader and to the organization as well as bringing out their best strengths. When organizations develop positive, virtuous cultures they achieve significantly higher levels of organizational effectiveness — including financial performance, customer satisfaction, productivity, and employee engagement.

Article link: https://hbr.org/2015/12/proof-that-positive-work-cultures-are-more-productive?

Editor’s note : Due to a typo, this article initially misstated the number of workdays lost due to stress each year. That number is estimated at 550 million, not 550 billion. The sentence has been corrected.

• Emma Seppälä, PhD, is a faculty member at the Yale School of Management, faculty director of the Yale School of Management’s Women’s Leadership Program and author of The Happiness Track. She is also science director of Stanford University’s Center for Compassion and Altruism Research and Education. Follow her work at www.emmaseppala.com, on Instagramor Twitter.
• KCKim Cameron, PhD, is the William Russell Kelly Professor of Management and Organizations at the Ross School of Business at the University of Michigan and the author of Positive Leadership, Practicing Positive Leadership, and Positively Energizing Leadership.

Digital government is designed and operated to take advantage of digital data and technology to create, optimize and transform digital government services.

Why is it critical to continue and accelerate the transition to digital government?

Technology has become essential for remote working, distance learning, maintaining economies and keeping governments running.

Automation and delivering services digitally, wherever feasible, is imperative to the sustainability of many government operations. For most governments, however, the pace of change during a crisis is not sustainable once the crisis abates, due to risk-averse culture and lack of resources.Technology leaders need to help agency and political leadership understand why maintaining the appropriate level of digital acceleration is so important to government services. They can do so by identifying quick wins, aligning digital to political priorities and improving the agility of their operating models.One approach is to reprioritize ongoing and planned digital initiatives based on their use case and value. Some projects:May need to be stopped to free up investment and resources for other initiatives.Need to continue but at a steady (or even slower) rate to make room for more pressing needs.Are needed to address vulnerabilities exposed by the quick solutions put in place during the pandemic.Should be scaled and reinforced for long-term use, such as to support remote/hybrid working, digital citizen interactions and remote operations.Support longer term fundamental shifts in citizen and business behaviors, for instance replacing existing service with a more proactive and predictive approach in human services, public safety and even taxation.

Accelerate Digital Government 

What is the difference between digital optimization and transformation in government?

Digital optimization is the process by which government organizations use data to significantly improve what they are already doing. For example, a tax and revenue agency can enhance its risk analysis capabilities with predictive models to assess the likelihood of payment delinquency and take preemptive steps to avoid that outcome.Digital transformation changes the shape of how the government operates through a process of reinvention and creation. For example, that same tax and revenue agency could move beyond digital optimization by using its vast data resources, fiscal policy knowledge, forecasting expertise and deep-learning software. It could offer tax advisory services provided by virtual digital assistants for a nominal fee. This new source of revenue would be the result of digital transformation.It is important to exercise caution whenever a “transformation” project or program is announced or already underway. It is quite possible the charter and scope of such a project calls for a complete reinvention of government operations by exploiting digital data and technologies. However, upon closer examination, the actual goal of a transformation initiative may well be the optimization of the organization’s existing capabilities and value proposition.

Digital Govt Ecosystem 

What are the key technologies to support digital transformation?

Several technologies contribute to digital transformation. The most relevant are:

Digital government technology platforms, which are a set of cross-cutting, integrated, horizontal capabilities that coordinate government services across multiple domains, such as citizen experience, ecosystem, Internet of Things, and IT systems and analytics.

Digital citizen identity to support online authentication in interactions with government, and increasingly across sectors and jurisdictions, overcoming past identity silos.

Hybrid cloud computing, i.e., one or more public and private cloud services that operate as separate but integrated entities, offering a combination of cost optimization, agility and scalability of public cloud with control and compliance that are typical of the private cloud.

Data sharing across the whole government, leveraging multiple data sources to create new value and achieve improved outcomes. This requires government departments to be willing to expose data and be able to analyze it through a systematic and scalable approach that can reuse data and innovate services.

Total experience is a strategic approach designed to improve the engagement of citizens by providing them with modern tools across multiple channels and touchpoints that enhance overall experience, inclusion and equity. Moving away from a singular focus on customer experience improves the chances that governments can improve the quality of their services and capacity to deliver on their mission in the future.

Govt Technology Trends 

Who is responsible for digital government transformation?

Many government leaders think that “digital” means more technology and turn to the CIO to deliver. And if that doesn’t work, they bring in chief digital officers (CDOs) or chief experience officers (CxOs) to drive the way the government delivers. But while these roles bring great insight, they almost always lack the actual authority to execute.Ultimately, while the titles vary, it is the chief executives of government organizations who are accountable for strategy and execution. Other C-suite members also play a key role in digital efforts, including: The CIO, who is responsible for technology enablement.The chief digital officer, who is mostly responsible for ideation.Mission-unit leaders, who are responsible for the digital delivery of their agencies’ services. A governance framework is essential to define which roles are responsible or accountable for various aspects of a digital transformation program and who needs to be consulted and informed.Most governments have fallen short because real transformation or optimization requires changing business processes, often across organizational silos. This is not an IT problem; it’s a government leader’s insight and ambition deficit.

Be a Top Notch Govt CIO 

How can digital transformation progress be measured?

No. 1: Digital strategyDoes the digital strategy reflect the expected degree of urgency, take into account the readiness of the agency and aim to improve the digital maturity of the organization? To measure progress on this count, you’ll need a self-assessment tool, such as the Gartner Digital Government Maturity Model, that pushes the CIO or other digital leaders to examine the breadth and depth of its digital strategy and its adequacy to the digital ambition of the organization. The assessment looks at several areas of the strategy and suggests what key steps are required to increase maturity in each. The purpose is not to achieve the maximum maturity in each area, but to achieve sufficient maturity to meet the organization’s digital goals.No. 2: Execution of digital strategyTo gauge how successful an agency is in executing strategy, benchmark against peers in the government sector and elsewhere. Tools such as the Gartner Digital Execution Scorecard use digital key performance indicators that are compared to those of industry peers. This generates objective benchmark reports that show relative strengths and weaknesses in different areas of digital execution based on ambition and peer performance comparisons

Digital Business Roadmap 

What are the critical success factors for digital government transformation?

Lessons learned from governments that are already more digitally advanced surface keys to success. This group consistently includes transformational activities in their programs, show a wider range of focus and are more successful at scaling digital across their organizations. Among the attributes and behaviors that set them apart, they:

Both transform and optimizeby redesigning existing end-to-end processes, creating new digitally enabled services or ways to deliver value and automate parts of end-to-end processes to transform citizen experience.Use clear calculated digital success metrics to measure digital impact and maturity. For example, they are far more likely than less advanced governments to monitor and report on regulatory compliance, transparency and auditability, mission impact, efficiency, workforce safety and productivity.

Adopt contemporary practices, such as user research, human-centered design, co-creation, journey and life event mapping.

Deploy common technologies and platforms, such as digital identity solutions, integration platforms, artificial intelligence (AI) technologies and robotic process automation (RPA).

Digitalization Strategy 

What are the main challenges for digital government transformation?

Digital transformation programs still face a number of significant challenges, including:

Siloed organizations. Silos exist across governments, departments and business areas. Each silo requires different types of interventions, which affects strategy, funding, and successful implementation.

Risk-averse culture.Governments are particularly sensitive to risk. Executives are fearful of failure, which reflects badly on elected officials. Frontline workforces focused on service delivery can also be change-averse, as they do not perceive any benefit in altering their proven practices.

Funding. Funding challenges are often a symptom of one or more problems, such as siloed strategies and decision making, as well as considering technology expenditure an operating expense rather than a strategic investment.

Digital skills gap. Core-specialist competencies in areas such as enterprise architecture, cybersecurity, cloud, analytics and digital experience design are vital to successful digital transformation programs, but tend to be in short supply in government.

Resourcing. A lack of timely access to business or subject matter expert resources is often a direct symptom of disconnected priorities, siloed decision making, cultural challenges and a lack of digital dexterity at the executive level.

Article link: https://www.gartner.com/en/topics/digital-government?

Realistic Digital Ambitions 

For executives and their teams

Webinars on Digital Government Priorities and Actions

Government CIOs, Eliminate Friction to Enable TransformationWatch Now 

Gartner Panel: Public Sector Privacy Best Practices to Build Citizen TrustWatch Now 

Build Momentum in the Transition to Digital GovernmentWatch Now 

The 10 Conditions To Sustain Digital Transformation in State & Local GovernmentWatch Now

August 24, 2022

Contributor: Robert Naegle

Change the way you tell your IT value story to drive greater impact.

With digital strategy taking center stage in the fight against today’s economic headwinds, there’s never been a better time to bring your technology initiatives to life through a compelling value story. That requires unwavering focus on the outcomes and goals your stakeholders really care about.

At its core, a great value story resonates with business leaders, supports their decision making and aligns to their key objectives or concerns. Focusing on measurements of work performed, tasks accomplished or resources deployed won’t get you there; instead, focus on communicating outcomes delivered.

See IT Recession Playbook:Actions to Jump-Start Your IT and Digital Strategy

7 rules for creating a compelling value story for IT

We developed seven rules that CIOs can follow to craft and articulate stronger business value stories. Gartner predicts that through 2027, CIOs who implement these seven rules will be 75% more successful in elevating their strategic contribution to their organizations’ missions and increase approval rates for funding requests by 30% over current levels.

Watch Webinar: 7 Rules for CIOs to Successfully Demonstrate the Business Value of IT

No. 1: Remember that the IT stakeholder always determines value

IT stakeholders and consumers, not the providers/producers, determine what is of value. When identifying what is valuable, it’s essential to  align tightly with the business. Without a clear line of sight to business priorities, IT is likely to stay focused on delivering technology or platforms , rather than meeting business objectives, benefits or outcomes.

Identify your key stakeholders and/or consumers, starting with business leaders as the primary stakeholders. Capture, validate and regularly reassess their needs.

No. 2: Note that not all outcomes are equally valued

Team with business leaders to identify and rank their business priorities (for example, value/revenue increase, or cash savings then efficiency gains) then align IT resources to deliver the prioritized outcomes. Capture and validate quantified benefits with key stakeholders and leadership.

Note that your organization will typically value impacts to mission and revenue growth more highly than spend avoided and cost reductions, and budget contributions are considered more valuable —and easier to measure — than efficiencies gained through process improvements.

No. 3: Build two value narratives, for operating and transforming

IT can enable the business to run (operate) and change (grow/transform) but its value for each objective is perceived differently by stakeholders so value measures for ‘run’ and change initiatives should differ. If one initiative covers both, highlight both the differences and the interdependencies in any related communication.

Measure the value of:

• change spend with metrics like return on investment (with returns owned by those receiving the benefits). 
• run spend through price for performance (striving for more performance at a better price).

No. 4: Measure IT’s impact on stakeholders’ objectives, not IT effort expended or resources consumed

Measure business outcomes, not IT work. Platform, systems and infrastructure performance make up elements of IT production, they do not represent quantifiable value to the business stakeholder.

Document the desired/intended business outcome, as agreed to with your stakeholders. Measure IT’s impact on mission or contribution to business outcomes and avoid metrics that communicate effort, work or technical output.

No. 5: Align IT costs to the business services they enable

Stakeholders will better understand IT’s value when IT costs are linked to the business services and capabilities that IT delivers. Costing parts or technologies does not support a value conversation. Value conversations must include both cost and benefit.

Cost the value delivered at the business outcome level (e.g., cost per seat of an application or cost per transaction of critical business services). Include both costs and benefits in all project proposals to determine net value.

No. 6: Communicate IT value in the language of the stakeholder

Use business language, not technical terminology and acronyms, when communicating IT’s value. Keep communication with business leaders clear, relevant, easily understood and designed to drive decision making.

Avoid deep dives into technology and platform capabilities and translate value messaging into actionable insights that support critical business decision making.

No. 7: Ensure those who fund IT understand its contribution to their objectives

Finance and business leaders who fund IT must understand IT’s value and impact on business outcomes, even when they are not the direct recipients of the value. Engage economic buyers early in the value definition process. Make spend justification and value definition a collective effort between IT and key stakeholders.

A productive CIO-CFO relationship is critical to ensuring digital strategy receives appropriate funding. Strong CFO-CIO relationships are more likely to find funding for digital initiatives readily and to keep digital spending in line with the budget plan. Digital funding will lag if CFOs and CIOs don’t align onan enterprise-level view of how to measure the outcomes and success of digital initiatives.

Adapt these rules for your organization

For maximum impact, use these rules as a starting point for framing and guiding your IT value narratives. To adapt to your organization, ask:

• Does this rule apply to our organization?
• How should we customize this rule for our organization?
• Can we emphasize this rule in our business value of IT communications? When and how?
• What else should we do differently to communicate a more clear and impactful value message?

In short:

• IT and digital strategy is critical in today’s economic conditions. You need an impactful IT value story to help business stakeholders make sense of and buy into your technology initiatives. 
• Follow these seven rules to ensure IT and digital strategy stay focused on the outcomes your business partners care about.
• Hint: Don’t talk about IT in terms of the technical work performed, tasks accomplished and effort required.

Robert Naegle is a Research VP focused on CIO issues of finance, economics and business value. His coverage areas include IT financial management best practices and technologies, business value of IT and cost optimization strategies.

Article link: https://www.gartner.com/en/articles/7-rules-for-demonstrating-the-business-value-of-it?

Sent from my iPhone

One of the largest nonprofit health care systems in the U.S. is dealing with a wide-ranging IT security issue forcing it to shut off systems at some facilities. 

CommonSpirit Health – which has more than 1,000 care sites and 140 hospitals in 21 states – said on Monday that it is “managing an IT security issue” impacting several electronic health record systems. 

The Chicago-based ​​company did not respond to requests for comment but said in a statement that it is “following existing protocols for system outages and taking steps to minimize the disruption.”

“As a result of this issue, we have rescheduled some patient appointments. Patients will be contacted directly by their provider and/or care facility if their appointment is impacted,” the company said. 

The statement did little to assuage the anger of customers across the U.S. who reported having issues at their local hospital or with their doctor. Several patients said their doctors were having problems accessing the MyChart tool, which is produced by a company called Epic Systems. 

An Epic Systems spokesperson said the outages were “an isolated incident with one customer: CommonSpirit Health.”

Several local news outlets across the U.S. reported on hospitals in their area facing issues due to the outage. 

MercyOne Des Moines Medical Center had to divert ambulances on Monday due to the outage, and other issues were reported at CommonSpirit’s facilities in Chattanooga, Tennessee.

The Omaha World-Herald reported that all CommonSpirit facilities in Omaha were impacted, including Lakeside Hospital, Creighton University Medical Center-Bergan Mercy and Immanuel Medical Center.

A Washington state news outlet saidSt. Michael Medical Center in Silverdale, Kitsap County’s main hospital and St. Anthony Hospital in Gig Harbor have all been affected by the incident as well. 

Although the company did not respond to requests from The Record about the nature of the incident, cybersecurity researchers including Kevin Beaumont suggested ransomware may be involved.

Ransomware attacks on health care organizations have continued throughout 2021 and 2022, including recent attacks on a California nonprofit in March and a major Texas hospital one month ago. 

In August, the LockBit gang launched a devastating attack on a hospital about an hour south-east of Paris, which disrupted its medical imaging, patient admissions, and other services. 

Ransomware groups and hackers have also made a point of targeting organizations throughout the health care supply chain like CommonSpirit in an effort to cause the maximum amount of damage.  

The United Kingdom’s National Health Service is still struggling to cope with a ransomware attack on an IT provider this summer. The FBI warned two weeks ago that hackers are going after health care payment processors to steal data and money.

An August ransomware attack on printing and mailing services provider OneTouchPoint had several downstream effects on its customers, prompting it to release a data breach notice on behalf of 34 health care organizations. 

In June, the sensitive information of two million people was accessed during a cyberattack on Shields Health Care Group, a Massachusetts-based health care organization that provides services to more than 50 hospitals and clinics across the northeast, including hospitals at higher-education institutions like Emerson College, University of Massachusetts, Tufts University, Wellesley College and more.

A February ransomware attack on medical debt collection firm Professional Finance Company caused a widespread data breach affecting 657 health care organizations.

Article link: https://therecord-media.cdn.ampproject.org/c/s/therecord.media/massive-u-s-nonprofit-health-care-system-grappling-with-it-security-issue/amp/

Jonathan Greig 

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

“I can tell you at DoD, we’re taking this very seriously,” DoD CIO John Sherman said. “And we are committed to implementing zero trust at scale for our four-million-person-plus enterprise that we lead.”

By JASPREET GILLon August 25, 2022 at 2:36 PM

WASHINGTON — The Pentagon’s chief information officer is committed to implementing a zero trust architecture across the entire department in the next five years and will be releasing a new strategy to get there as soon as next month.

“What we’re aiming for is by 2027 to have zero trust deployed across a majority of our enterprise systems in the Department of Defense,” DoD CIO John Sherman said at a FedTalks conference Wednesday. “Five years. That’s an ambitious goal… but the adversary capability we’re facing leaves us no choice but to move at that level of pace.”

To get after its zero trust goals, the Pentagon plans to release a new strategy as soon as next month. The strategy will define DoD’s approach to zero trust between the “main controls” to the most sensitive systems. Sherman said that within the last month, he also hired a new deputy chief information security officer to bolster the office’s efforts.

“I can tell you at DoD, we’re taking this very seriously,” he said. “And we are committed to implementing zero trust at scale for our four-million-person-plus enterprise that we lead.” 

RELATED: Pentagon CIO Hopes CMMC 2.0 Will ‘Raise’ Cybersecurity ‘Waterline’

Cybersecurity remains one of Sherman’s top goals, specifically figuring out how to get after the “technical debt” DoD has accrued over the last 20 years. The Pentagon needs to start thinking of new ways to protect its weapons systems, networks and data and ensure they’re “cyber safe” and secure in a way that it didn’t have to do “staring down the Taliban or ISIS or other adversaries,” he said.

Sherman said cybersecurity can’t be an option, especially when China and other adversaries are trying “to steal our data to put our service members at risk.”

To that end, the Cybersecurity Maturity Model Certification (CMMC) version 2.0, the Pentagon’s major cyber certification program, was moved under Sherman’s purview earlier this year from the office of the undersecretary of defense for acquisition and sustainment. During an AFCEA Space Force IT Day conference in February, Sherman said he wanted to focus on clarifying requirements and increasing engagements with small- to medium-sized companies in hopes of raising the overall “water level” of DoD’s cybersecurity defenses against China and Russia.

“This is basic hygiene to raise the water level to make sure we can protect our sensitive data so that when our service members have to go into action, they’re not going to have an unfair position because our adversary’s already stolen key data and technologies that’ll put them at an advantage,” he said then.

At the FedtTalks event, Sherman said a new cyber talent strategy will also be released in the next few months. The strategy is in the final stages of coordination and involves people from DoD’s personnel, readiness and policy teams thinking “differently about the environment we’re in,” he said. 

“This is the space race for this generation, if you want to be honest,” he added. “We’ve got to get this right, we need to draw on every bit of talent.”

Article link: https://breakingdefense.com/2022/08/five-years-to-zero-trust-pentagon-has-no-choice-but-to-speed-network-goals/

By Jaspreet Gill on September 07, 2022 at 3:01 PM

WASHINGTON — The Pentagon’s upcoming new zero trust strategy will outline dozens of capabilities needed to bring the Defense Department to what it’s calling “targeted” zero trust, a departure from its previous framework, a defense official said today.

The strategy, which could come out sometime this month, outlines 90 capabilities “at the targeted zero trust level, which are clearly defined,” David McKeown, deputy chief information officer for cybersecurity, said at the Billington Cybersecurity Summit. “We have a definition of what it takes to check the box and fulfill that particular capability. Those 90 capabilities are going to get us to what we’re calling targeted zero trust.”

An additional 62 capabilities that will get the Pentagon to a “more advanced zero trust” that could be used on national security systems or systems that are “very, very important” are also defined in the strategy, he added.

Zero trust — a framework the Pentagon has increasingly been focusing on — assumes a network is always at risk of being exposed to threats and requires all users to be authenticated and authorized. On Jan. 19 this year, the Biden administrationissued a memorandum on improving the cybersecurity of DoD, intelligence community and national security systems, setting forth specific guidelines for agencies to adopt zero trust architecture implementation plans.

In a following memorandum dated Jan. 26, the White House’s Office of Management set forth a federal zero trust architecture strategy that called for agencies to meet specific cybersecurity standards by the end of fiscal 2024.

“A key tenet of a zero trust architecture is that no network is implicitly considered trusted — a principle that may be at odds with some agencies’ current approach to securing networks and associated systems,” according to the memorandum. “All traffic must be encrypted and authenticated as soon as practicable.”

The upcoming strategy from DoD is different from the Pentagon’s previous zero trust framework, which McKeown said defined seven “pillars” and how they would evolve levels of maturity.

John Sherman, the Defense Department’s chief information officer, said in August that the strategy will define DoD’s approach to zero trust between the “main controls” to the most sensitive systems. 

Sherman added that one of his goals is to implement zero trust architecture across the majority of DoD enterprise systems in the next five years, saying the “adversary capability we’re facing leaves us no choice but to move at that level of pace.”

During his comments today, McKeown reiterated Sherman’s remarks and said DoD is creating an implementation plan for each of the military services and DoD agencies 

The plan includes three methods to get after DoD’s targeted zero trust goals, including uplifting each service and agency’s current environment to satisfy the 90 capabilities and implementing a zero trust cloud on-premises that meets the highest level of zero trust

“And then we’ve been partnering with a lot of cloud providers to have them examine their current FedRAMP cloud offerings and many of them are very far along,” McKeown said. “A couple are at the 90% level for meeting those targeted zero trust capabilities. So we’re really excited about that, that we have those three offerings. The fact that we’re pointing to the cloud continues our strategy overall in the department to increase our cloud utilization and it also furthers the federal government’s goal of increasing cloud utilization.”

RELATED: Time To ‘Block And Tackle’: Draft Strategy Outlines Air Force’s Future Digital Environment Through 2028

Air Force Chief Information Officer Lauren Knausenberger said on Aug. 29 that zero trust is the framework that will allow the service to simplify its war fighting environment.

“If we can get to the point where we know who you are, that we have our data tagged, that we can get to multi-level security, that we can maybe not have folks like the USAF commander have 22 different networks in five different machines on their desk, [then] we can fight a lot more easily,” she said during the Department of the Air Force Information Technology and Cyberpower conference.

The Air Force has already started defining its zero trust vision for the next six years in a new draft interim strategy published Aug. 26 meant to guide the service on where to spend its time and focus through fiscal 2028.

The service is aiming to implement a zero trust architecture that “protects data in a cohesive way across multiple classification levels,” according to the strategy, including the foundation identity (ICAM) elements that manage users, credentials and the access risk based on the sensitivity of the resources being protected.

Article link: https://breakingdefense-com.cdn.ampproject.org/c/s/breakingdefense.com/2022/09/targeted-zero-trust-new-dod-strategy-will-outline-90-capabilities/?

Written by  Suzanne Smalley
Oct 4, 2022 | CYBERSCOOP

U.S. cybersecurity, law enforcement and intelligence officials revealed on Tuesday that sophisticated hackers infiltrated a likely U.S. military contractor and maintained “persistent, long-term” access to their system. 

The National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI released a detailed, joint advisory containing the notification, explaining that in November 2021 CISA responded to a report of malicious activity on an anonymous “Defense Industrial Base (DIB) Sector organization’s enterprise network.”

CISA uncovered a likely compromise, and said that some of the intruders had “long-term access to the environment.” After breaking in, officials said, hackers leveraged an open-source toolkit known as Impacket to “programmatically” construct and manipulate network protocols. 

Impacket is a collection of Python libraries that “plug into applications like vulnerability scanners, allowing them to work with Windows network protocols,” Katie Nickels, director of threat intelligence at Red Canary, said via email. Hackers favor Impacket because it helps them retrieve credentials, issue commands and deliver malware onto systems, she said.

The digital intruders in this case also used a custom data exfiltration tool, CovalentStealer, to steal sensitive data and exploited a Microsoft Exchange vulnerability on the defense organization’s server to gain access remotely, officials said. From there, the hackers used the compromised company accounts to further infiltrate the targeted organization.

Nickels said hackers could have gained access by exploiting vulnerabilities in Exchange, but there is “no evidence to support this right now, nor is there evidence that adversaries knew about the ProxyNotShell,” a reference to a new Exchange Server zero-day vulnerability.

There have been a number of Exchange vulnerabilities reported over a span of years, Nickels said. Given how difficult it can be to patch on-premise Exchange servers, she said, many of these vulnerabilities go unfixed, and become vectors for attack.

The advisory includes details on indicators of compromise found by CISA and a third-party incident response organization. CISA, the FBI and the NSA recommend that defense industrial base and other critical infrastructure organizations implement the mitigations detailed in the advisory.

Read the full advisory here.

Article link: https://www.cyberscoop.com/feds-release-advisory-apts/

-In this Story- 

advanced persistent threat (APT), critical infrastructure, Cybersecurity and Infrastructure Security Agency (CISA), incident response

Written by  Suzanne Smalley
Oct 4, 2022 | CYBERSCOOP

U.S. cybersecurity, law enforcement and intelligence officials revealed on Tuesday that sophisticated hackers infiltrated a likely U.S. military contractor and maintained “persistent, long-term” access to their system. 

The National Security Agency, the Cybersecurity and Infrastructure Security Agency and the FBI released a detailed, joint advisory containing the notification, explaining that in November 2021 CISA responded to a report of malicious activity on an anonymous “Defense Industrial Base (DIB) Sector organization’s enterprise network.”

CISA uncovered a likely compromise, and said that some of the intruders had “long-term access to the environment.” After breaking in, officials said, hackers leveraged an open-source toolkit known as Impacket to “programmatically” construct and manipulate network protocols. 

Impacket is a collection of Python libraries that “plug into applications like vulnerability scanners, allowing them to work with Windows network protocols,” Katie Nickels, director of threat intelligence at Red Canary, said via email. Hackers favor Impacket because it helps them retrieve credentials, issue commands and deliver malware onto systems, she said.

The digital intruders in this case also used a custom data exfiltration tool, CovalentStealer, to steal sensitive data and exploited a Microsoft Exchange vulnerability on the defense organization’s server to gain access remotely, officials said. From there, the hackers used the compromised company accounts to further infiltrate the targeted organization.

Nickels said hackers could have gained access by exploiting vulnerabilities in Exchange, but there is “no evidence to support this right now, nor is there evidence that adversaries knew about the ProxyNotShell,” a reference to a new Exchange Server zero-day vulnerability.

There have been a number of Exchange vulnerabilities reported over a span of years, Nickels said. Given how difficult it can be to patch on-premise Exchange servers, she said, many of these vulnerabilities go unfixed, and become vectors for attack.

The advisory includes details on indicators of compromise found by CISA and a third-party incident response organization. CISA, the FBI and the NSA recommend that defense industrial base and other critical infrastructure organizations implement the mitigations detailed in the advisory.

Read the full advisory here.

Article link: https://www.cyberscoop.com/feds-release-advisory-apts/

-In this Story- 

advanced persistent threat (APT), critical infrastructure, Cybersecurity and Infrastructure Security Agency (CISA), incident response

• Paul Leinwand
• Joachim Rotering

November 17, 2017

Summary.   

Research has shown that only about 8% of company leaders excel at both strategy and execution. But more and more, we need leaders who can do both. Leaders who master both strategy and execution start by building a bold but executable strategy, addressing the questions “What are we great at?” and “What are we able to achieve?” rather than coming up with lofty plans and asking functional and business-unit teams to do their best to execute. Next, leaders must ensure that the company is investing behind the change, which means linking the budget closely to the strategy. Finally, leaders need to make sure the entire organization is motivated to go the journey. Great leaders know that success stems from specific skills that come together in unique ways to do the challenging tasks in executing the strategy.

For decades, we’ve often thought of leadership profiles in unique buckets—two popular varieties were the “visionaries”, who embrace strategy and think about amazing things to do, and the “operators”, who get stuff done. We intuitively knew that there must be leaders that span these areas, but in fact, few do. According to a global survey of 700 executives across a variety of industries conducted by Strategy&, the strategy consulting division of PwC, only 8% of company leaders were said to excel at both strategy and execution.

You may think that success can be achieved by excelling at either strategy or execution individually—that great visionaries can change how we see the world, or that amazing operators can wind up outperforming competitors. But our experience and research suggests that the days of keeping strategy and execution as separate topics are ending: We need leaders that can create big promises to customers, and help their organizations deliver on those promises.

Take Starbucks: CEO Howard Schultz created a very ambitious aspiration for the company, far more than just being a seller of coffee. He wanted Starbucks to be a “third place” for conviviality beyond home and the workplace. Visit a Starbucks anywhere in the world, and you will find the same consistently comfortable and welcoming ambiance. But he didn’t get there simply by telling his staff to “be warm and friendly”.

Starbucks has been able to deliver on its promise because that promise is tightly linked to the company’s distinctive capabilities. The feel of Starbucks stores isn’t created merely by the layout and the décor—it exists because the people behind the counter understand how their work fits into a common purpose, and recognize how to accomplish great things together without needing to follow a script.

INSIGHT CENTER

• The Gap Between Strategy and ExecutionAligning the big picture with the day-to-day.

Over many years, Starbucks has built a capability to foster a relationship-driven, “employees-first” approach. It was Schultz who famously said “You can walk into [any type of retail store] and you can feel whether the proprietor or the merchant or the person behind the counter has a good feeling about his product. If you walk into a department store today, you are probably talking to a guy who is untrained; he was selling vacuum cleaners yesterday, and now he is in the apparel section. It just does not work.”

Schultz made sure that Starbucks would be different: Workers are called “partners” rather than employees, and even part-time staff (in the U.S.) receive stock options and health insurance. At the height of the global financial crisis, when other companies were cutting HR costs wherever they could, Starbucks invested in staff training, including coffee tastings and courses that ultimately qualified employees for credit at higher education institutions. Beyond employees, much of what you will see and experience at Starbucks has been well thought out to accomplish the company’s mission, from the music played to the furniture selected. Even the bathrooms are strategic at Starbucks, because they play a part in allowing customers to spend time in the “third place.”

Leaders like Howard Schultz don’t just have both the visionary and operator skills—they deeply value the connection between the two skill sets. In fact, they see them as inextricably linked, since a bold vision needs to include both a very ambitious destination and a well-conceived path for execution that will get you there. This is ever more important today, where differentiating your company is so difficult. Differentiation increasingly requires more innovative thinking, and the use of very specific areas of expertise (like Apple’s winning design, a capability that wouldn’t have been prioritized in most technology companies before Jobs).

Leaders who master both strategy and execution start by building a bold but executable strategy. Next, they ensure that the company is investing behind the change. And last, they make sure the entire organization is motivated to go the journey.

Developing a bold but executable strategy starts with making sure leaders have addressed the questions of “What are we great at?” and “What are we able to achieve?” rather than coming up with lofty plans and asking functional and business-unit teams to do their best to execute. Indeed, they spell out the few differentiating capabilities that the company must excel at to realize the strategy.

Ensuring that the company is investing behind the change means that leaders recognize that the budget process is one of the most important tools in closing the strategy-to-execution gap. Cost isn’t an exogenous variable to be managed—it is the investment in doing the most important things well. But rarely are budgets linked closely to the strategy. If your company is merely incrementalizing the budget up or down by a few percentage points, ask yourself whether the investments are really reflective of the most important tasks.

Motivating individuals is a hugely underleveraged tool to close the gap between strategy and execution. Great leaders know that success stems from specific skills that come together in unique ways to do the challenging tasks in executing the strategy. But today most employees don’t even understand how they are connected to the strategy. In a recent (not-yet-published) survey of 540 executives, managers, and non-managers by Strategy&, only 28% of employees said that they feel fully connected to the purpose and identity of their organization. Articulating the strategy in human terms—what capabilities the company will need to build, and what skills are required to do so—not only helps the company focus on how to develop the right talent, but it allows individuals to understand how their role fits into the overall strategy, and allows them to see their work in a much more fundamentally connected way.

How are you doing in combining strategy and execution? Below are some questions for you to think through that cover all three stages of the strategy-to-execution continuum. Getting these three areas right allows leaders to make a big step forward toward closing the gap between strategy and execution:

1. Build the strategy.

• Are you very clear about how you add value to customers in a way that others don’t, and about the specific capabilities that enable you to excel at that value proposition?
• As strategies are being developed, are you using the classic approach of “build the strategy, then think about execution,” or are you asking yourself the question, “Do you have the capabilities needed—or can you build the capabilities needed—to execute the strategy?”
• As you’re dealing with disruption, are you shaping the world around you with your given strengths, or are you waiting for change to happen, and therefore playing by someone else’s rules?

2. Translate the strategy into the everyday.

• Are you diligently following through on what you have decided? You need to be very clear about what the strategy is and what it takes to succeed—and to communicate it so that everyone in the organization understands what they should be doing.
• Are there visible programs (for example specific new technologies, new processes, or training programs) to build the key capabilities your organization needs to win with its strategy?
• Are you building specific connections between strategy and the budgeting process so you’re reallocating funds to where they matter most? And do you have mechanisms in place that translate the strategy into personal goals and rewards for managers and employees?

3. Execute the strategy.

• Are you motivating employees every single day to understand how what they’re doing connects to the important strategic levers that you have focused on?
• Are you enabling employees to work together across organizational silos to tackle the cross-functional challenges that allow the company to win?
• Are you keeping track not just of your performance, but of how you’re building and scaling up those few key capabilities that enable you to create value for customers in ways that others cannot?
• Is your management team engaged in how you are executing the strategy—not just by measuring results, but by constantly challenging the organization and supporting it in improving its key capabilities? Are you setting your team’s sights high enough for what they need to accomplish, and by when?

We believe there’s a tremendous upside for companies that can succeed at strategy through execution. The leaders who are able to be both visionaries and operators, and switch between these two mindsets, are the ones who can turn their organizations into super-competitors.

Paul Leinwand is the global managing director for capabilities-driven strategy and growth at Strategy&, PwC’s strategy consulting business. He is a principal with PwC US, an adjunct professor of strategy at Northwestern University’s Kellogg School of Management, and a coauthor of several books, includingBeyond Digital: How Great Leaders Transform Their Organizations and Shape the Future (Harvard Business Review Press, 2021) and Strategy That Works: How Winning Companies Close the Strategy-to-Execution Gap(Harvard Business Review Press, 2016).

Joachim Rotering is the Strategy& Global Leader as well as the Europe, Middle East and Africa Leader. He is a Managing Director with PwC Strategy& Germany and works primarily with clients in the oil, chemicals, and steel industries.

Article link: https://hbr.org/2017/11/how-to-excel-at-both-strategy-and-execution?