MES IT Leader Spotlight: Shawn Fernandes, CIO And Chief Administrative Officer, Aspire Health Alliance

MES IT Leader Spotlight is a series featuring midmarket IT leaders – their backstory, their biggest successes and challenges, their day-to-day roles, and even advice for their peers. In this edition, the spotlight is on Shawn Fernandes, CIO and chief administrative officer at Aspire Health Alliance.

\

Shawn Fernandes is the CIO and chief administrative officer at Aspire Health Alliance, a Massachusetts-based health care organization that provides integrated care for mental health and substance use disorders, crisis intervention, and community-based services.

In this interview, Fernandes shares his career path to becoming a CIO, the biggest tech challenges for those in his industry and his career milestones.

Can you share a bit about your background, your career journey, and your day-to-day role?

My role at Aspire Health Alliance is chief information officer and chief administrative officer. What that entails is involvement with technology and the oversight of technology strategy.

I have responsibility for all our buildings, commercial properties, residential properties, program properties, outpatient clinics.

My career started in financial services. I was in banking, out of college — went to work for Bank of Boston ... right at that time when the mergers were happening in the banking space, I moved over to professional services at PricewaterhouseCoopers, and I worked there in a capacity of IT at a local geographic level, and then at a national level for PwC, until I decided it be a great time to shift into health care and try something different.

And so, I did that, and I moved into for-profit health care with a company called the Mentor Network, and then I was there for many years before I came over to the nonprofit side.

I wanted to sort of get both sides of the envelope, so to speak. This [was] about 15, 20 years ago, where health care was just seeing transformation and evolution, and organizations were seeing the value of technology investments in health care, because health care was always behind, typically, financial services in regard to the technology leading edge or bleeding edge. It was a good time to be in health care as money was coming in to start to transform the space.

What are some of your career milestones?

[I was in] financial services ... 20 years ago, it was brick and mortar, so the services and technology solutions and strategy were around a building, or buildings.

When I went into health care, it was a completely different world. It was services in people's homes. It was people traveling to communities and schools and working with the police departments and hospitals in primary care. The vast majority were trying to deliver systems and technological solutions to people who were everywhere ... they were traveling all the time. They were in all kinds of settings, and they were in places, often within communities where you didn't have great connectivity.

[We] had to think about offline capability for people to work and then come back into a connected environment and then synchronize ... it was a lot more challenging from a technology perspective, because you stack the need for people to gain access to the systems but gain access in connected ways.

That meant you needed to accommodate what was going to be the connection scenario. [Is] it a strong connection? Is it a weak signal? What was the experience? What would the fallback be? What would the offline experience be? But then also deliver that with security wrapped [in]. When you're dealing with people's health information and HIPAA requirements and regulations you really need to get it right.

How are you dealing with cybersecurity and what other challenges are you facing in your specific industry from a technology standpoint?

So [hackers are] coming after the [patient] medical record, because with the medical record, which now many qualify much more valuable than a credit card or financial information, because now I can set up shop, I can submit claims, I can get paid, I can close up shop and be gone before you've even realized I was there.

The pressure was on protecting the health systems and the health care information. It meant we had to focus on the core -- those connection solutions, the identity of the people coming in ... how it's validated, and what access people have to the information.

The minimum necessary is always a premise in the health care space. I need to give you only what you need. When you need something more, you need to break the glass, or you need to request access, and your policy or profile needs to reflect those changes.

The pandemic forced everyone with this pressure on cyber security to really race towards multifactor authentication, single sign on solutions. We did a lot of that with our managed services partner ... Blue Mantis.

You had to go at the profile and the identity of the people and the tools you gave them to authenticate themselves, prove that they were who they were. But then you had to work on the edge technologies, because, again, you were out there, and you know, the person who authenticates and comes in can have a session hijacked.

You really needed to secure the endpoint technology. You also had to deal with this hybrid [scenario], we had things in our data centers, but we were moving out into public cloud or private cloud, so we had this hybrid environment of our own data centers, and then things that were being accessed in cloud environments. You needed to protect all of that with that identity. But then you had to make sure every endpoint being used was being touched by us and our systems to update it, patch it, secure it, encrypt it. We had to expand on our approach with passwords, and we had to educate people on using passphrases and more complexity.

What are some technologies you are most excited about, and which help you most in meeting your organization’s business objectives?

Four, five, six years ago, we were talking about software-defined networking and how that was going to be important for us, and that was a big step forward for us ... we had to do a lot to make sure that we could build the foundation to support these newer advancements.

And today, the compute power, the application, where it runs, how it runs, how quickly it responds, [how is it] is going to support those enhancements with AI because when we go to our vendors and we start talking about the AI implications to the software we use, it's often applications tiered on top of the core system.

In our example, it's an electronic health record that's now tiered with an AI tool that can help you, the provider, write the note, or write a higher quality note, or have a larger amount of data ingested to provide this individual on your caseload, a synopsis of the last six months or six years of treatment, rather than you carve out the time to go read all the notes and all the documentation and all the treatment plans.

You're using these tools on top of sound, strong technology foundations to enhance the service, enhance the treatment.

How we approach the care or the services we bring to the market, largely based on the changes happening around us, which is the analysis of data, to tell you what are people struggling with, what are people dealing with? How do you, as a provider in behavioral health, come to those people with services that are suited to the challenges they're dealing with or coping with.

AI is one of those very big steps for us. We have to be careful, as everyone will probably tell you, as they as they wade into this area, where is the data? What data are you using for your analysis? What does that data set represent? And then, how are you controlling the flow of your data, making sure we still protect the sanctity of what is the electronic record, or the designated record, where does that all exist, and is it still within our confines and within our controls? Because it's very easy for you to go use one of these models and tools and leak your data out, leak your client health information out, which is a no-no, because that's a violation, that's a breach when that leaves your control.