The decision to adopt AI for use in clinical settings and enterprise business systems in healthcare should involve a wide range of constituents. A variety of departments and functions, from the board of directors to all the way down to line workers, will need to give input, author policies, write procedures, and be involved in the lifecycle management of AI. Given the depth of staff involved and the number of activities and interactions, organizations should be looking at utilizing automated risk management tools that can become a central repository of records for all things AI. This should not be a spreadsheet drill. Let’s examine possible organizational roles and their role in AI program decision-making.
Board of Directors
The Board of Directors (or subcommittee) should be aware of, understand, and approve organizational risks. The Board is typically associated with authorizing funding for such enterprise and strategic programs. This function of the Board should also receive regular briefings on risk status or access to a “Board Risk Dashboard” that gives visibility into the status of organizational risks in real-time and the associated costs.
The CEO and Executive Leadership
The CEO is responsible for executing the organization’s strategic direction, which is also tied to financial performance and profitability. The CEO and executive management need visibility into the risks and impediments that they may need to overcome to execute the AI strategy. Additionally, executive management and department heads will want the ability to manage AI adoption in their respective areas.
The CFO
The Chief Financial Officer should have visibility into risks associated with AI and the costs associated with risk management. The CFO should be involved in validating costs associated with risk in the environment and managing expenses related to risk remediation, thus having a 360-degree view of risk management and real costs that drive the organization’s bottom line.
The CMIO/CMO/CNO
The Chief Medical Information Officer, the Chief Medical Officer, the Chief Nursing Officer, and possibly the Chief Digital Officer are responsible for clinical alignment, appropriate clinical AI applications, and the future roadmap and lifecycle management of clinical AI applications, in conjunction with the CIO and CTO. Also, metrics addressing clinical relevancy and outcomes related to AI should be considered.
The Legal Department
The legal department ensures that AI policies and programs comply with relevant laws and regulations. Alignment with HIPAA, the Department of Health and Human Services, etc., needs to be documented, and AI is no exception. Legal review of these compliance items and activities, as well as contract review, is critical.
The CIO and CTO
These roles include strategic IT infrastructure and database alignment, AI program support and management, and helpdesk integration. The CTO’s responsibilities include the underlying infrastructure roadmap to support future AI adoption. The CIO and clinical and operational department heads are the ultimate focal point for tying together the entire AI program.
The CISO
The CISO office is responsible for cybersecurity readiness and ongoing protection. The CISO and CTO should prepare the organization for AI, assuring that all cybersecurity bases are covered by mapping to a standard such as NIST. The CISO should define any extraneous security tools/processes/monitoring and functions that may be specific to AI applications. For instance, if the AI application “learns” over time, where the additional data is coming from, if it contains sensitive data, private data, or anything that needs to be considered from a regulatory standpoint. Role-based access should be considered for the AI application; in other words, who has access to make what kind of requests/queries of the AI applications?
Additionally, assurance should be addressed regarding organic/rogue data sprawl, and the environment should be scanned for non-compliant data and files that may have been distributed throughout the organization. Any non-compliant data should be remediated before adopting AI applications. This is important, especially considering the AI application’s reach into the environment, and to prevent this data from getting into the hands of inappropriate AI queries.
Compliance/Risk Management
Compliance and risk management should ensure alignment with the organization’s policies and procedures, HIPAA compliance, and other regulatory requirements. Periodic AI audit and monitoring activities should be defined and, ideally, automated to give real-time insight into compliance issues and risks that can be proactively addressed.
Automated Management of AI and Risk Programs
Since AI needs the attention of a broad number of constituents within the organization, how do you keep track of all these decisions, documents, and data? How do you capture all this activity in preparation for audits and assure ongoing compliance? Spreadsheets are inadequate, non-centralized, require much attention/labor, are hard to track, and offer poor user-level access controls. Automated risk management tools that can track all this activity, monitor cybersecurity compliance, monitor AI-specific activity, and report on compliance can be one answer.
For more information about CSI Companies’ Security and AI Readiness Programs, visit our website and speak with one of our experts today!
Visit our Newsroom to learn more about how CSI Companies has expanded its offerings into Security and AI Solutions.
About the Author
Paul J. Caracciolo is the Executive Vice President of CSI Companies’ Cybersecurity, Risk, and AI Management practice. Our practice uses automated risk and Cybersecurity compliance tools to get hospitals in a posture of real-time management of their environments. Our offerings have a large impact relating to very clear ROI and cost savings in these applications. An added benefit is that we enable organizations to take a proactive approach to managing risk and security instead of being in a firefighting, reactive, and outdated periodic audit mode. Paul can be reached at pcaracciolo@csicompanies.com.
