You didn’t take this job because you don’t know technology. You took it because a mid-market healthcare organization decided it was time to put a dedicated technology leader on the leadership team, and they hired you to be the first person in this seat.
That means there’s no playbook waiting for you. The role of CIO or CTO in mid-market healthcare is often still a first-generation position. The person before you wasn’t a technology leader. They were a practice manager or an office administrator who handled IT by default, alongside everything else. The infrastructure you’re inheriting was built by people making the best decisions they could without the background to evaluate the options. Some of it works. Some of it has problems nobody has had the expertise to identify.
You already know technology. What you may not yet know is how mid-market healthcare operates as a technology environment: the regulatory constraints, the clinical workflow dependencies, the vendor landscape, the organizational dynamics, and the specific ways that what worked at your previous company may or may not apply here.
This guide is designed to give you that context, organized around the first 90 days, which is the window where the trajectory of your tenure gets set.
What the CIO role actually means in mid-market healthcare
Before getting into the timeline, it’s worth being specific about what this role is. The title might be CIO, CTO, VP of IT, or something else. The mandate is the same.
You’re the person responsible for aligning technology with clinical and business operations. That means governing vendor relationships and contracts that were set up by people without the background to evaluate them. It means owning or overseeing the security and compliance posture, which in healthcare is non-negotiable and more complex than most other industries.
It means creating budgeting and prioritization discipline where none existed. And it means turning what has been a series of disconnected, reactive IT decisions into an actual technology strategy.
The reason this role is different in healthcare is that you sit at the intersection of clinical, operational, regulatory, and financial realities simultaneously. A decision about your EHR affects clinical workflows. A decision about your data infrastructure affects financial reporting. A decision about your security posture affects your cyber insurance, your HIPAA compliance, and your ability to adopt AI down the road. Nothing exists in isolation, and the CIO is often the first person in the organization who sees all of those connections.
Before you start: what to expect from the organization
The leadership team that hired you has expectations, and those expectations may not be fully calibrated.
They know they need technology leadership. They may not know what that leadership actually looks like in practice. Some will expect you to immediately start fixing things. Others will want a strategic plan within weeks. A few will have specific technology they’ve heard about, probably AI, and will want to know when you’re going to implement it.
The most productive thing you can do before your first day is have an honest conversation with whoever you report to about what the first 90 days should actually look like. That conversation should cover what the organization expects to see and when, what your decision authority is, what the budget reality looks like, and whether leadership is prepared to hear uncomfortable truths about the technology landscape.
If the organization expects visible transformation in the first month, that expectation needs to be reset early, because the decisions you make in the first 90 days will determine whether the next three years go well or go sideways.
If any of those basics are vague on day one, getting them defined is your first order of business.
Days 1-30: listen, learn, and resist the instinct to change things
The strongest instinct you’ll have in the first month is to start fixing what’s broken. Resist it.
You’re going to see things that need to change. Vendor relationships that don’t make sense. Security gaps that make you uncomfortable. Infrastructure that’s outdated or poorly configured. Data practices that wouldn’t have been acceptable at your previous organization.
That’s all real, and you’re right to notice it. But you don’t yet have the context to know which of those problems are urgent, which are structural, and which are actually working better than they look from the outside.
Map the existing landscape
Start by understanding what you’ve inherited. This isn’t just a technology audit. It’s an operational inventory.
What systems does the practice run on? The EHR is the center of everything. But there are billing platforms, practice management systems, scheduling tools, patient portals, lab interfaces, imaging systems, and various point solutions that have accumulated over time. Some are integrated. Many aren’t.
Understanding which systems are critical to daily clinical operations, and which are nice-to-have tools that a few people use, will shape every decision you make.
What vendor relationships exist, and what are the terms? You probably have a managed IT provider, an EHR vendor, possibly a security vendor, and several smaller service contracts. Some of these were chosen carefully. Others were inherited or adopted by default. Get the contracts. Understand the terms, the renewal dates, and the scope of what each vendor is actually delivering versus what the contract says they should be delivering.
What’s the compliance posture? HIPAA is the baseline, but it’s worth understanding how the organization has been managing it. Is there documented compliance? A risk assessment on file? Incident response procedures? Or has compliance been treated as a checkbox rather than an operational practice? The pattern that plays out in many mid-market healthcare organizations: the previous IT provider says they’re handling compliance, but when someone actually audits it, there are gaps that nobody knew about.
What does the clinical staff actually experience day to day? Talk to the people who use the systems. Not just the department heads. The front desk staff, the billing team, the medical assistants, the providers. They’ll tell you what’s slow, what breaks, what they’ve been working around, and what they’ve given up asking to have fixed. That ground-level perspective is more valuable than any vendor report you’ll receive.
Build the relationship with the practice manager
This is worth calling out specifically because it’s one of the most important relationships you’ll build in your first year.
The person who was handling technology before you arrived has institutional knowledge you won’t develop for months. They know which systems the clinical staff depends on, which vendor relationships are working, which problems have been raised and ignored, and what’s been tried before. They also have relationships with the clinical and administrative staff that you don’t have yet.
Your predecessor in the technology role wasn’t the practice manager. There was no predecessor. The practice manager was holding things together without the right tools. Treating them as a partner rather than a problem to be solved will give you access to operational context that would otherwise take you six months to develop on your own.
The practice manager is the most important relationship, but not the only one. Your first 30 days should also include conversations with the CFO or finance leader (who controls the budget you’ll need and understands the cost structure of what you’re inheriting), the compliance lead if one exists (who knows what regulatory obligations are being met and which are aspirational), the operations leader (who sees how technology affects daily workflow across locations), and at least one physician champion or medical director (who can help you understand how clinical staff actually interacts with the systems you’re about to govern). Healthcare CIOs who build strategy without clinical input build strategy that clinical staff resists.
Days 31-60: assess, prioritize, and start building your case
By the end of your first month, you should have a working understanding of the landscape. Now you can start evaluating it.
Security and compliance first
This is the area where the gap between what the organization thinks is happening and what’s actually happening is usually the largest.
What you’ll likely find: the previous IT provider or internal team says they’re handling HIPAA compliance and security. When someone with the right expertise actually audits it, the deficiencies are often significant. Missing risk assessments. Incomplete documentation. Monitoring gaps. Access controls that don’t meet current standards. Cyber insurance requirements that aren’t being satisfied.
Start here because security gaps are the highest-consequence problems you can have. A compliance failure or a breach in your first year will define your tenure regardless of everything else you accomplish. Getting an accurate picture of the security posture, even if the picture is uncomfortable, gives you the foundation for every other conversation you need to have.
If you don’t have the internal expertise to do a thorough security assessment, bring in someone who does. This is one of the areas where outside expertise pays for itself, because the cost of discovering a gap reactively is orders of magnitude higher than discovering it proactively.
Evaluate the vendor landscape
Not all of the vendor relationships you inherited are bad. Some of them are working well and delivering real value. The instinct to replace everything with your own people or your own preferred vendors is understandable, but it’s worth resisting until you have a clear picture of what each vendor is actually doing.
Evaluate each relationship on its own terms. Is the vendor delivering on the scope of their contract? Is the clinical and administrative staff satisfied with the support they’re receiving? Are there capabilities you’re paying for that aren’t being used? Are there gaps in coverage that the vendor should be addressing but isn’t?
The vendors that need to go will become obvious. The ones that are performing well are assets, not obstacles. And the ones in the middle deserve a conversation before a replacement.
Identify the operational bottlenecks
Beyond security and vendors, you’ll start to see patterns in where technology is creating friction for the practice. These usually cluster around a few areas.
Data access and reporting. Leadership probably wants better visibility into practice performance. If CFOs or administrators are spending hours each month manually pulling data from multiple systems to build reports, that’s a bottleneck worth understanding. The fix might be a data platform, an analytics solution, or simply better use of tools that already exist.
System integration. If the EHR, billing platform, and practice management system don’t talk to each other, staff are spending time on manual data entry and reconciliation that could be automated. Identify which integration gaps are costing the most time and creating the most errors.
Support responsiveness. If the current IT support model leaves clinical staff waiting for help while patients are in the room, that’s not just an IT problem. It’s a clinical operations problem. Understanding the response time expectations and the current reality will tell you whether the support model needs adjustment.
Start building your case to leadership
By the end of month two, you should be assembling the picture that will become your roadmap. This is the moment to start communicating upward, not with a finished plan, but with an honest assessment.
Tell leadership what you’ve found. Frame it clearly: here’s what’s working, here’s what’s at risk, here’s what needs attention now versus what can wait. The temptation is to present solutions. Resist that until month three. Right now, your job is to establish credibility by demonstrating that you’ve done the work to understand the environment, and that your recommendations, when they come, will be grounded in reality rather than assumptions.
Days 61-90: build the roadmap
This is where your first 90 days produces its most important deliverable: a technology roadmap that the organization can actually execute.
Sequence by risk and impact
Not everything can happen at once, and the roadmap needs to reflect that. The most effective approach is to sequence priorities into three categories.
What needs to be fixed now. Security gaps, compliance deficiencies, and anything that represents active risk to the organization. These aren’t strategic investments. They’re operational necessities. If your HIPAA posture has gaps, if your cyber insurance requirements aren’t being met, if there are access control problems, these go first.
What should be addressed in the next six months. Vendor transitions that your assessment identified as necessary. Infrastructure upgrades that improve reliability or reduce cost. Support model changes that address the biggest clinical pain points. These are the changes that improve operations without requiring organizational transformation.
What to build toward over the next 12 to 18 months. Data infrastructure. Analytics capabilities. AI readiness. Workflow automation. These are the strategic investments that require a foundation to work. If the security posture isn’t solid, if the vendor landscape isn’t stable, if the clinical staff doesn’t trust the technology organization yet, these longer-term initiatives will struggle regardless of how well they’re designed.
Be honest about capacity
The hardest part of building this roadmap is being honest about what the organization can absorb. Every item on your list may be genuine. That doesn’t mean the organization has the budget, the management depth, or the operational bandwidth to execute all of it simultaneously.
The roadmaps that succeed are the ones that account for organizational capacity, not just technical priority. A three-item roadmap that gets executed is more valuable than a fifteen-item roadmap that stalls after the first two.
Present the roadmap as a sequence, not a wish list
When you bring this to leadership, frame it as a phased plan with clear dependencies. This is urgent and needs to be addressed before anything else. This builds on the foundation that the first phase creates. And this is where we’re heading once the foundation is stable.
Leadership will want to know about the strategic items, the analytics, the AI, the big-picture capabilities. That’s fine. Show them the path. But make sure they understand that the path starts with the foundation work, and that skipping the foundation to get to the exciting stuff faster is how technology strategies fail.
The AI question
You’re going to get asked about AI. Probably in your first week. Definitely by the end of your first month.
Everyone in healthcare leadership has heard about AI. They’ve read about it. They’ve seen vendors pitch it. They want to know what your AI strategy is.
The honest answer in your first 90 days: you’re building the foundation that any AI strategy needs to sit on. AI tools in healthcare require clean, governed data. They require a secure infrastructure. They require integration points with clinical systems. And they require a compliance framework that accounts for how patient data is being used.
If the data infrastructure isn’t there, if the security posture has gaps, if the systems aren’t integrated, buying an AI tool is buying a roof before the foundation is poured. The organizations that benefit from AI in healthcare are the ones that built the foundation first. That’s what your first-year roadmap should be aiming at. We’ve written separately about what AI readiness actually requires in healthcare if that’s a conversation your leadership team is pushing on.
What the ones who succeed do differently
The new CIOs who thrive in mid-market healthcare share a few things in common, and they’re mostly about temperament rather than technical skill.
They learn the context before applying their expertise. They build relationships with clinical and administrative staff before proposing changes that affect those people’s daily work. They’re honest with leadership about what’s realistic, even when the honest answer isn’t the exciting one.
They evaluate each technology function on its own merits rather than making one sweeping decision about insourcing or outsourcing. And they plan for year three, not just year one. The question isn’t “can we build this?” It’s “can we sustain this with the team, budget, and management capacity we’ll actually have two years from now?”
Frequently asked questions
What should a new healthcare CIO focus on first?
Assessment. Before changing anything, spend the first 30 days understanding the technology landscape you inherited: systems, vendor relationships, compliance posture, clinical workflows, and organizational capacity. The most common mistake is making changes before the assessment is complete, which often creates more problems than it solves.
What should a healthcare CIO do in the first 90 days?
Days 1 through 30: listen, map the existing technology landscape, build relationships with clinical and administrative stakeholders, and resist the instinct to make changes before you understand what you’ve inherited. Days 31 through 60: assess security and compliance posture, evaluate vendor performance, identify operational bottlenecks, and start building your case to leadership with an honest picture of what you’ve found. Days 61 through 90: build a sequenced roadmap that prioritizes by risk and organizational capacity, distinguishing between what needs to be fixed now, what to address in the next six months, and what to build toward over the first 12 to 18 months.
How long does it take for a new CIO to have real impact in healthcare?
The first 90 days should produce an honest assessment and a realistic roadmap. The first six months should address the highest-priority security and compliance gaps and any vendor transitions that can’t wait. Real strategic impact, things like data infrastructure, analytics capability, and AI readiness, typically starts to materialize in the 12-to-18-month window if the foundation work has been done well.
Should a new healthcare CIO replace the existing IT vendors?
Not automatically. Some inherited vendor relationships are genuinely performing well. The instinct to replace everything with your own preferred vendors is understandable but should be evaluated on a vendor-by-vendor basis. Assess each relationship against what it’s delivering, what it should be delivering, and whether the clinical and administrative staff are being served well. Replace what’s clearly failing. Keep what’s working. Renegotiate what’s in the middle.
How should a healthcare CIO handle the AI question from leadership?
Acknowledge it directly and frame your answer around foundation-building. AI in healthcare requires clean data, secure infrastructure, system integration, and a compliance framework. If those pieces aren’t in place, buying AI tools is premature. The honest answer is that your first-year roadmap is designed to build the foundation that makes a real AI strategy possible, and that’s a more valuable investment than jumping to a specific tool.
What’s the biggest risk in the first 90 days?
Moving too fast. The technology landscape was built over years by people doing their best without the right expertise. Changing it in weeks, without understanding the dependencies, the clinical workflows, and the organizational dynamics, creates disruption that erodes trust before you’ve had a chance to build it. The first 90 days should build credibility through thorough assessment, not through visible action.
What is the role of a CIO in healthcare?
In mid-market healthcare, the CIO is the first person responsible for turning disconnected technology decisions into an actual strategy. The mandate typically includes aligning technology with clinical and business operations, governing vendor relationships and contracts, owning or overseeing the security and compliance posture, creating budgeting and prioritization discipline, and bridging the gap between clinical needs and technology capabilities.
In many organizations, this is a first-generation role, meaning the person in the seat is defining it at the same time they’re executing it.
If you’ve recently stepped into a CIO or CTO role at a healthcare organization and want to talk through what the technology landscape typically looks like at this stage, that’s a conversation we have often.