As organizations move forward with a digital transformation strategy, healthcare finance leaders must be prepared to answer tough questions related to ROI, cybersecurity, employee engagement and more. In this roundtable, sponsored by Pure Storage, several revenue cycle and technology leaders discuss their financial strategies.
In what areas of digital transformation are you currently investing?
Joe Avelino: College Medical Center is a 221-bed acute care hospital, but we focus primarily on behavioral health services. Our number one focus area is cybersecurity. Last year, we spent $45,000 to perform a security risk assessment. We also started using the HITRUST cybersecurity framework that’s regularly revised to include HIPAA-related data protection requirements. Our second focus area is technology to enable more efficient denial management, making sure we have an interface between our electronic health record and our health plans. This was crucial during the COVID-19 pandemic when we saw a lot of MediCal HMO Managed Care Organizations deny payment and authorization for inpatient behavioral health admissions.
Fahd Benjalil: We’re a 181-bed acute care hospital that’s part of Sharp Healthcare. From an IT- as-a-service perspective, we continue to invest in telehealth as an organization among other investments. We’ve had a tenfold increase in telehealth usage compared to prior to the pandemic.
Jon Kimerle: There is clear investment around building a more consumer-centric experience in healthcare. This includes the telehealth expansion we saw in the past eighteen months. Among many
other impacts, the pandemic has elevated consumers’ expectations of how they experience healthcare. We are seeing interest in moving into other areas of delivering care and wellness in the home. Secondly, it is all about the data and using it to improve outcomes. We are seeing significant investment increases in areas from organic data growth, data protection, incorporating non-medical data and leveraging advanced analytics like artificial intelligence and machine learning to improve outcomes.
What role does organizational agility play, if any, as you consider various IT investments?
Avelino: We want to be as nimble as possible. What’s critical for organizational agility is having a structured committee that can help us make efficient
and informed decisions. For us, it’s the IT steering committee. It’s a multi-disciplinary team made up of me, the CIO, CNO, VP of ancillary services, CFO, HIM director and quality director.
Benjalil: The agility piece is pretty significant. When COVID-19 hit, we had to change the way we did everything. We had new federal and state data reporting requirements, labor ratio adjustments and more. While we were doing that, cybersecurity was a huge threat. Luckily, we have an amazing IT team. What we’ve learned in the last 18 months is how to collaborate a little bit faster. While we still have steering committees and other committees, we have learned to make decisions quicker. With that said, the process of acquiring medical equipment takes longer. If the device connects to our network, it must go through the new technology committee before we can make the purchase. It takes a more robust investigation.
Kimerle: There are two ways I would answer this question. One is going forward and the other looking backwards. As organizations make new investments, they are starting to prefer as-a-service models that can increase their optionality and agility. Looking backwards at the legacy IT portfolio, simplification and consolidation continues to be a great IT strategy for most organizations to reduce cost and complexity.
How will you ensure organizational agility going forward?
Benjalil: In terms of ensuring the next generation embraces organizational agility, it’s about embedding that agility into the culture of the organization. Just as we focus on providing a consistent patient experience (similar to that of a franchise), we must provide a consistent employee experience focused on agility at the forefront. We were challenged to be nimbler during the pandemic. Let’s not go back to the old way. Let’s continue to adapt to the market and industry.
Kimerle: From IT infrastructure, I believe in taking a longer view in total cost of ownership (TCO) calculations on new investments as well as leveraging enterprise architecture. A three-year TCO will not factor in the legacy IT business models that are built on obsolescence and rebuying what was already bought with disruptive migrations. A six-plus-year TCO that incorporates all expenses on core platforms will help uncover these previous hidden issues.
As your digital transformation continues to unfold, how do you ensure employee engagement and buy-in?
Don Courville: We always talk about what our patients want (for example, easy access and a frictionless experience), but our employees also want that. They want it to be easy to work at Sharp. They don’t want to push paper or deal with clunky processes. They want a modern employment experience. The goal of technology-as-a-service is to enable staff to be more agile and productive. We’re interested in megaplatforms that give us seamless process and data integration. This is a trend that will continue into the foreseeable future. The past 18 months have only elevated these expectations. With that said, we need to maintain our culture and stay connected whether it’s digital, in-person or a mix. We’re still figuring this out. Our patients and employees continue to push us forward in this regard.
Kimerle: Pure Storage has been going through a transformation, and senior leadership frequently talks about the why behind the effort. Effective participation usually strengthens adoption, buy-in and engagement.
As you think about leveraging the cloud, is it a destination or an operating model? If an operating model, what are its characteristics?
Courville: We very much look at the cloud as an operating model. However, you need the right governance in place. We are still working on this. As with anything that’s highly complex and has a lot of moving parts, if you don’t have the right buy-in and plan associated with it, you’re not going to arrive at the intended destination. That’s why architecture is the cousin of governance. You need the right blueprint in place. Analytics also come into play. Everybody knows about the shift from CAPEX to OPEX. When you have variable cost consumption, subscriptions and other concepts that are basically brand new to the way organizations pay for IT, you need data-driven insights. Otherwise, you can find yourself in big trouble really quickly. With the cloud, there are ways to optimize your spend, but there are probably ten times more ways to get bad financial surprises if you don’t have these other elements in place.
Avelino: We use cloud computing, meaning we store and access data and programs over the internet. We’ve looked at Microsoft® Azure, Google Cloud and Amazon Web Services, but these options have all been cost prohibitive.
Kimerle: As we look at more digitally mature industries outside of healthcare, we see a focus on hybrid and multi-cloud strategies. Healthcare, in general, has less experience in leveraging the public cloud for its strengths. Only in the last couple years has healthcare had direct experience with public cloud initiatives. A smart strategy is to be crystal clear on the business or clinical outcomes desired and put the IT workload where it makes the most sense. A foundation that enables hybrid and multicloud seems to have the strongest strategic value to most organizations through increasing flexibility, optionality and agility while reducing risk.
In the past year, healthcare organizations have seen an increase in the number of ransomware attacks. How important are investments in cybersecurity at your organization?
Avelino: We’ve actually had a couple of incidents at our organization prior to the pandemic. In one case, it had to do with payroll direct deposit. In another case, it had to do with an equipment repair. Then the pandemic came along. We knew we needed to establish a more robust process for cybersecurity. That’s when we performed our security risk assessment. This assessment was critical. We’re probably more at risk than other organizations simply because of the behavioral health population we serve.
Several recommendations emerged from that assessment. First, we established a cybersecurity framework. Within this framework, we assessed the current condition, evaluated the current state of controls and understood our risk. Next, we analyzed gaps in security best practices and established information security policies such as an information security governance and charter, information security risk management policy, information security awareness policy, communications and outreach policy, asset inventory policy, asset category policy, privilege accounts and password management policy, network security policy and encryption policy. Finally, we established a risk-assessment process to identify threats and vulnerabilities, identify existing controls, determine
the impact and develop an incident-
Courville: Ransomware is an epidemic. We’ve been supported by our executive team to be aggressive in terms of protecting ourselves. The ransomware activity has forced us to take a COVID-like response to cybersecurity. Before the pandemic, we might have said, ‘Let’s put that in next year’s budget and roll it out over 12 months.’ Now we’re saying, ‘Let’s buy it immediately and get it deployed in a month.’
We have put a lot of emphasis on guarding the front door — putting protections around the core systems like electronic health records and the enterprise resource planning systems. But people sneak in through phishing emails or other systems. We’ve got to pay attention to these systems along with biomedical devices. With biomedical devices, the reality is that we need to do a lot of the protection ourselves. We need to invest in technology safeguards for devices throughout the enterprise. As we pursue new digital health strategies with more dynamic connectivity requirements and new security concerns, we also need network technology as a service that allows us to ensure secure bidirectional data flow. Legacy security and network paradigms don’t lend themselves to this level of flexibility and security.
Kimerle: Cybersecurity, in general — and ransomware in particular — is a board-level topic in most organizations. There is only so much effective investment that can be made at preventing and detecting these types of attacks. The reality is that it is a matter of when — not if — you will experience a successful attack. As a natural consequence, we are seeing increased interest in the ability to rapidly recover from immutable backups. In many of the publicized ransomware attacks, we saw healthcare organizations take close to a month to be fully back up across all applications. Engineering a rapid recovery process can turn recovery from an attack into hours instead of days and weeks. There is significant economic value in having this capability.
Has your organization created a financial impact assessment of these and other types of attacks?
Benjalil: We haven’t created a formal financial impact; however, we are definitely aware of how an attack could impact us. When another local health system was attacked by ransomware, they basically had to cease all operations. A lot of their volume shifted to Sharp. All of their computer systems were down. Their networks were down for weeks. Attackers also stole patient information, and now there are pending lawsuits. You have to think about not only the lost revenue and increased expenses during the attack itself but also the impact on your market share. Patients may actually go elsewhere if they feel their information in not safe. It’s the big picture that we need to think about.
Kimerle: In working with customers to identify the value of rapid recovery solutions, we have built quite a few ROI models for organizations. For the past few years, we used several different industry benchmarks that ranged from $7,000 to $16,000 per minute of outage, depending on the size of the organization. Recently, the duration of ransomware outages are expanding, and this is increasing the economic impact. The idea of core applications being unavailable for up to 30 days has serious impact. As an example, United Healthcare Services noted in their financial statements that the economic impact of their attack was $67 million. That’s about 1% of their annual revenue.
If you could solve one problem with acquiring information technology infrastructure, what would it be?
Benjalil: I would want a cloud-based platform that allows managers of different departments to perform real-time productivity analysis — a tool that would allow department managers to make staffing decisions on the fly. Labor is such a huge amount of your total operating expenses. There’s a huge opportunity to improve in this area. There are solutions out there that do some of this, but they don’t cover every aspect of what I’m looking for.
Avelino: I would want to address the rising costs of IT. When we negotiated with our electronic health record vendor, we had to hire an attorney to negotiate the terms. We ended up with a seven-year agreement that cost a couple million dollars. In the long run, the seven-year agreement will make it more manageable, but it doesn’t negate the overall exponential cost.
Courville: I would want to create an easier way to measure value delivery or ROI. You shouldn’t spend money unless you’re going to get something for it. For example, did you see improved patient outcomes? An increase in patient volume? An increase in productivity? I think we can do a better job of drawing a solid line between investments and outcomes. Just installing technology is a good way to not get value. Each technology brings new data, processes and capabilities. If you haven’t adjusted jobs and processes to work with that new system, you’re probably not going to get what you want out of it.
Kimerle: The clear problem I would choose is around realizing the full value of IT investments. It’s an organizational discipline improvement. Often the business or clinical outcomes are not fully understood. Additionally, the proposed solution needs to be fully developed with all the people, process, technology and culture complements to enable the desired outcome.