Highlights from Huntzinger's CHIME Focus Group, March 6, 2018
By Nancy Ripari
Executive Vice President and Partner
Huntzinger Management Group
Spawned by federal regulations and funding, for the past several years, healthcare organizations have largely focused their IT efforts, and funding, on EMRs and Meaningful Use. More recently, attention and funding, has shifted to an emphasis on cybersecurity. While these issues are important, focus on them has been somewhat at the expense of the organizations' technical infrastructures. The vision for the future of the technical infrastructure was the topic of a focus group of nine CIOs, CTOs and healthcare IT leaders recently conducted at the CHIME 2018 Spring Forum.
The group agreed that mobility, consumerism and the move to the cloud are challenging their organizations to set direction with little confidence of success or value. The group felt that the experience to date with cloud hosting has been mixed. There were several well publicized cyberattacks on hosting providers in 2017 that are causing healthcare organizations to re-think cloud risks and how to handle business continuity in a hybrid cloud environment. The group then explored options in this space and actions to address.
Start with a Puzzle Frame — What is the Vision for the Cloud?
- In five years most will be in the cloud. However, legacy applications will remain for at least 10 years and will require traditional hosting.
- Start with something simple and learn, see how it works over time. Start with non-critical applications and move to critical.
- Hybrid environments will be the norm.
- Experiment with development and testing environments that are cloud enabled.
- Remote hosting of ERP, EMRs, and other applications will continue.
- Some legacy applications will continue to be hosted on premise or in a co-location site.
- Management of the hybrid environment will be complex and require different skills.
- Disaster recovery and business continuity need to be re-thought in this hybrid environment.
- Hybrid environments require understanding of performance, security, and service-level agreements (SLAs). Very messy to manage, lots of vendors, no clear accountability.
- Transition from capital to operating expense will be difficult for many organizations.
- Need to reduce the number of applications.
- Need to have strong SLAs to hold vendors accountable. Need to have a big bite for non-performance.
- Risk was once thought to be mitigated by moving to the cloud. Many organizations are rethinking “risk” due to cyberattacks on cloud vendors
Is it a Light or a Train? Benefits and Challenges
- The promised, but not yet realized, benefit of cost reduction, scalability, resource reduction, reduced data center cost, high availability, and security.
- Many applications are not cloud ready and won’t be for 10 years. This will require a hybrid solution.
- Not finding technical talent in small communities is resulting in remote hosting and long-term contractors.
- The cloud can reduce investments by scaling up and scaling down. Easier to turn on and turn off.
- Large amounts of data, video, and data retention issues are pushing cloud solutions.
- Security is the biggest benefit check box. However, recent events have created concern.
- Emotional — If there is an outage, why aren’t we in the cloud? If there is an outage with the cloud — why aren’t we on premise?
Best-of-Breed Redux — Integration and Security Considerations
- Vendor management teams have been created within organizations to focus on standards and SLAs. Technical team is not always structured or skilled to manage the contracts.
- Internal help desk is still the funnel for all issues. However, it takes longer to resolve: is it the vendor(s)’ or is it local IT’s? Coordination across vendors delays the process.
- Each vendor contract has different commitments for support hours, availability, response time, and SLAs. Problems that span vendors can be difficult to coordinate and troubleshoot
- Best practice is to keep all end-user communications within the organization. End users shouldn’t call the vendor help desk directly. This can appear to the end user as a delay. However, without central control, the view across the organization is lost.
- Step 1 should always be a risk and security analysis.
- When you go to the cloud you now have many more tentacles. Vendors don’t always do the appropriate level of background checks. Requirements need to be clear in contracts.
- The cloud is sold to the organization one app at a time. They are not given a big picture or strategy.
- Best-of-breed cloud — We don’t know what that’s going to look like or how to manage it.
Playing Jenga with Staff — Skill Sets Added and Removed
- Need fewer high-level skill sets
- Reduction of local support and increase of corporate support
- Security personnel are still being hired in droves
- There should be a reduction in server admins, storage, database resources
- Vendor management is huge and time consuming
- Organizations still need to employ high-level technologists to manage vendors and set direction
- Metrics are going to be a big deal and as much standardization that can occur is beneficial
Conflicting Performance Standards — Developing an Enterprise Performance Picture
- Integrating change management and downtime schedules across multiple vendors is problematic
- Reporting on availability across multiple vendors can be labor intensive and confusing to end users
- Contracts and SLAs should be defined within the helpdesk system for tracking and reporting
- Vendors should be required to adopt standardized SLAs — this is not always possible
- End-user experience is IT’s responsibility regardless of hosting environment
- Need to develop soft skills in the IT department — IT needs to own it
- Vendors must work through IT every time — no direct contract with the end users
What About the Square Pegs? — Motivation of Defensive Staff
- Organizations have seen a bit of kicking and screaming. Many roles have been eliminated. Need to be very transparent, re-skill.
- The people need to see a development roadmap. People are excited but need to see a future for themselves with options.
- Defining what is going away and what will stay is important.
- Map the change, offer them training, communicate so they are aware.
What’s Important That We Missed?
- Not enough emphasis on business continuity planning. Very vulnerable in this area and need to figure this out. Multiple vendors do mitigate the risk, but critical system downtime outside of internal control is a risk. The organization is dependent on vendor disaster recovery plans
- It depends on the system. The biggest thing is we don’t prepare for is a security breach. This needs to be part of the disaster recovery plan. CEO and staff don’t feel the reality until it happens.
- How do we go to paper? We have it in writing, but we have never rehearsed it.