Stabilize, modernize, simplify: How Sutter Health addresses tech debt, security vulnerabilities

“So many vulnerabilities, so little time,” has become the mantra of gleeful cybercriminals who are setting their sights on the healthcare industry, ready and able to exploit thousands of potential entry points into lucrative databases of highly sensitive patient data. 

As a whole, healthcare has the cringeworthy distinction of leading all other industries in both the volume of cyberthreats and the costs associated with experiencing a cybersecurity event. 

Part of the reason why healthcare is such easy pickings is the enormous amount of technical debt accrued by many health systems over years and years of implementing patchwork solutions to fill immediate needs without sufficient long-term planning or governance to guide their infrastructure development. 

Each of these poor decisions creates a visible seam in the digital foundations of the enterprise, ready for eagle-eyed cybercriminals to pry open and exploit.  

Sutter Health, a non-profit health system serving communities across California, has experienced the negative impacts of technical debt firsthand.  

In the post-pandemic environment, as the number and scale of data breaches started to rise precipitately across the industry, leaders at the health system knew it was time to double down on reducing its debt and strengthening its defenses against the relentless attacks from bad actors – one of which resulted in a headline-making data breach in 2023. 

Sutter Health started its digital makeover by bringing in James Kluttz as VP and Chief Technology Officer to get a handle on a challenging situation. 

“In 2022, Sutter experienced 272 major system disruptions. That’s one disruption Monday through Friday all year long,” said Kluttz during a fireside chat at the Trace3 Evolve Technology Conference in October.  

“The IT team was focused on nothing but service recovery – that’s all they had time to work on. We had 18,000 physical and virtual servers in the environment. We still had backup and recovery architectures based on tape. We had legacy systems that had been moved out of production 10 and 15 years prior, but never retired. And we had to continually manage all that equipment.” 

Kluttz’s goal quickly became clear: stabilize, modernize, and simplify the environment to reduce the debt and shut down potential avenues for cybercriminals to worm their way in. 

“I told our team, ‘If you focus on those three things every day when you come to work, if the task you’re performing leads towards improvement in one of those three categories, you’re focused on the right things.’  That’s our guiding mantra, and it’s been very effective for making good progress so far.” 

“What are you going to do differently tomorrow compared to today?”

Kluttz started by working closely with his teams to take a deep dive into what they had in their environment. The results were a little overwhelming. 

“There was a lot going on,” he recalled. “We had instances of one application implemented seven to ten times; we had network architecture and technology that had routers and switches that hadn’t been touched, rebooted, or upgraded in 10 years. We had compute architecture that was years beyond end of life. I mentioned tape before, and that’s because it just permeated through our entire tech stack. So, we had our work cut out for us.” 

As of 2025, Sutter has revamped almost every single technology and adopted new solutions that better meet the system’s modern, growing needs. The results have been clear and immediate.  

“We started with those 272 major system disruptions in 2022,” he said. “The following year, we got that down to 87. In 2024, we landed at just 17 major disruptions. And as of early October this year, we have only experienced 10 – and five of those were SaaS provider outages that we could not have prevented. That’s a phenomenal trajectory, and we’re very proud of the work we’ve done to get here.” 

The key to success was being methodical, organized, and collaborative, Kluttz explained. “It couldn’t have worked with a top-down approach where I swooped in and chose all the tools and directed all the action.” 

“Instead, I challenged all our teams to tell me what they wanted to do differently tomorrow than what they’re doing today. I asked each of them to bring back their recommendations for how to reimagine the tools and processes within their remit, and fully supported those recommendations as we executed on them together. It created a sense of engagement and ownership that really let us move quickly and see a lot of success in a relatively short period of time.” 

Creating a new culture of collaboration to protect and strengthen the enterprise

Paying down the tech debt is paying off in more ways than one, Kluttz noted. The concerted effort to stabilize, modernize, and simplify has opened up new channels of communication between teams that might not have worked together efficiently enough before. 

“When I joined, there was a complete divide between the teams – just no collaboration or cross-pollination of ideas. Everyone lived in their own world. When I came in, and our current CISO came in, we knew things had to change. He’s a former CTO, so he’s sat in my seat and can see things through the same lens, which is a huge benefit. We knew we had to work together to break this paradigm, so we started with a focused effort to build joint development plans and share the same operational metrics and goals.” 

Sharing insights and responsibilities is crucial for safeguarding the enterprise in the modern, high-cybercrime environment, he continued. 

“Security is everyone’s responsibility. Vulnerability management is everyone’s job. Preventing disruptions and cyberattacks requires joint ownership and joint accountability, because criminals are getting too smart for any one team or department to manage.” 

“Because we’ve taken this collaborative approach Sutter Health sits at our lowest aggregate risk score in our history. We have the lowest number of vulnerabilities in our environment we’ve ever had before. And every month, those numbers continue to trend down. And it’s not because security is pounding our team on the head. It’s because we’re jointly working through the challenges to create a stronger, more sophisticated, and more resilient organization as a whole.” 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].