Our State of the Industry Survey: Taking the Pulse of Senior Healthcare Executives

Jan. 23, 2020
Prominent industry leaders react to the survey’s wide-ranging findings around budgeting, value-based care, cybersecurity and more

Budgets and staffing to support organizational and transformation change are looking up, even as healthcare and healthcare IT leaders face enormous challenges in the shift from volume to value in U.S. healthcare delivery and payment, and in making concrete progress in the clinical and operational transformation needed to succeed under value-based contracts with public and private payers. Meanwhile, major gaps remain in enhancing the level of cybersecurity preparedness nationwide.

Those are among the findings of the Healthcare Innovation State of the Industry Survey, conducted online during the autumn of 2019. This article will focus on some of the major findings, with industry leaders and observers sharing their insights and perspectives on the major findings. The survey included responses from nearly 200 senior healthcare executives at hospitals, health systems, medical groups, and other patient care organizations.

Healthcare IT budgets and staffing: mostly good news

Let’s begin with some basic findings. We asked readers: “Compared to two years ago, how has your IT budget changed?”

“How much has your budget increased?”

More than seven in 10 respondents (73 percent) said their budgets have increased by less than 15 percent, while 27 percent said they’ve increased by more than 15 percent. About 7.5 percent of respondents said their budgets have risen by more than 25 percent.

“How large is your IT staff overall?”

  • 1 to 25: 65.3 percent
  • 25 to 50: 13.3 percent
  • 51 to 100: 2.7 percent
  • 100 to 150: 9.3 percent
  • More than 250: 9.3 percent

The only negative finding is around staffing, where fully 65.3 percent reported staffs of 25 or under. That having been said, the survey respondents represent every size of hospital facility, including critical-access facilities, as well as medical groups; when that factor is taken into account, the results seem less dire.

Tim Zoph, a former CIO and currently client executive and strategist at the Naperville, Ill.-based Impact Advisors consulting firm, says of these findings, “The note of optimism is the sense that budgets are increasing, and they’re increasing at a pretty good rate, relative to other industries that are projecting at 3 to 4 percent increases. The core question is, what are you spending it on? And can you manage the value delivered? We’re still absorbing the cost of the enterprise solutions that we’ve implemented in the past decade. At the same time, we’re investing in new technologies—EDWs [enterprise data warehouses], migrating to the cloud, [and deploying] new digital technologies. So I’d like to ask CIOs, what are you spending the funding on? And what are you doing with it?”

As Zoph sees it, “No more than 75 percent should be on managing the technology in front of you. At a time when you have to either grow service lines or enhance things by adding new value—that could be optimization efforts, and all of that, involved in the next 20 percent, with 5 percent dedicated to truly totally new technology. So 20 percent should be devoted to improving on what we have, on operations to drive clear value; and then reserve a bit of that for innovation—incubating the future of your health system with technology, process, and risk-taking.” And that operating environment, he notes, is vastly different from what it was like 20 years ago, when so much time and effort were focused on implementing electronic health records (EHRs) in the then-still-largely-paper-based patient care organizations. Going forward, he emphasizes, healthcare IT leaders need to see data as “the new asset,” from which value can be created.

With regard to spending processes, Kara Marx, vice president of applications at the four-hospital Sharp HealthCare integrated health system in San Diego, says that she is seeing a profound shift on another level, though. “It’s a shift from capital-based budgeting to operating budgets: capital budgets are starting to shrink, while operating budgets are increasing. Capital budgets involve things you would buy and then upgrade, and vendors aren’t doing that so much anymore; they’re selling subscription-based tools instead.” That fact, she says, will become more and more apparent in the coming years, as the types of software purchases that involved very large initial outlays of capital, such as EHRs, give way to the new forms of software-as-a-service and other types of technology that will be supported through subscription-based and similar new business models.

The shift to value—and the clinical and operational transformation involved

As everyone knows, the strategic, operational, and strategic healthcare IT trends of this moment are not coming out of nowhere; indeed, they are absolutely connected strongly to the shift from volume to value, a shift that is being forced forward by the purchasers and payers of healthcare who have decided that hospitals, physicians, medical groups, and all other providers of care can no longer continue on the trajectory that, according to the Medicare actuaries, will push the total annual costs of the U.S. healthcare system from the current $3.6 trillion (as of 2018) to $5.963 trillion by 2027.

That “burning platform for change” is focusing the minds of everyone in the U.S. healthcare industry, and is turbocharging the participation of patient care organizations—hospitals, medical groups, and integrated health systems—in value-based contracting.

Per that, the survey found considerable participation in value-based contracts.

Healthcare Innovation asked, “What kinds of value-based contracting is your organization involved in?” [respondents could say yes to as many as they were involved in.]

Still, when asked, “Do any of your value-based contracts involve two-sided risk?”—only a minority are yet doing so:

  • Yes, with Medicare (MSSP): 12 percent
  • Yes, with Medicaid: 10.7 percent
  • Yes, with private health insurers: 13.3 percent
  • No: 64 percent

And, with regard to the data analytics needed to succeed under value-based contracts, the survey asked:

“Have you begun using analytics to support population health management and care management work?”

We also asked, “Have you done health risk assessment yet across broad populations?”
  • Yes: 30.7 percent
  • Not yet, but plan to do so soon: 45.3 percent
  • No: 24 percent

And, we asked, “Have you implemented care management programs at the primary care level, involving physicians and teams?”

We then asked, “Are you actively working on incorporating social determinants of health (SDOH) data into your population health and care management work?”

With regard to the percentage of patient care organizations involved in value-based contracts, Don Crane, president and CEO of America’s Physician Groups (APG), the Los Angeles-based association representing over 300 medical groups, independent practice associations, and integrated healthcare systems across the nation, says of our survey results, “The penetration of value/risk-based contracting, including downside risk, is about what I would expect,” and matches the findings of other recent surveys and studies. Part of the reason for that is the dearth of well-designed programs that induce providers to participate. “The MSSP program is fraught with flaws,” he says, “so it’s no wonder the number of MSSP ACOs actually decreased from 2017 to 2018. I think the new Direct Contracting pilot/models recently commenced will change that picture significantly; these new models are vastly improved.” What will the pace of adoption of risk-based contracting among all providers look like in the next few years? “I expect steady growth, fueled in large part by the new Primary Care First and Direct Contracting models just reeased,” Crane says.”
It’s clear, says Barbara Spivak, M.D., that “More and more insurers are moving towards some type of value-based care. But most organizations are not really organized in a way as to take downside risk,” says Spivak, the president and CEO of the Mt. Auburn Cambridge IPA (MACIPA) in the Boston metropolitan area. “And among those that do, many of them are achieving success more through luck than by design. I also think that success is often defined in odd ways, around whether you make or lose money. But so often, whether you make or lose money is based on how your benchmark is set, rather than through your utilization work. And in the commercial world, Medicare, and Medicaid, it’s not about whether you’ve improved quality or utilization, but rather about whether you’ve improved against a budget that may or may not have been set appropriately. That’s why people have been unexcited about taking on downside risk.”

Meanwhile, none of the clinical and operational transformation that will be necessary for patient care organizations to succeed under value-based contracts will be possible without the robust leveraging of data analytics.

“If I’m going to be in a universe where I have downside risk, I should really be advanced in my ability to leverage analytics for population health management; and for those who have implemented comprehensive primary care strategies, leveraging data analytics really is table stakes,” says Christopher DeRienzo, M.D., chief medical officer and chief quality officer at the three-hospital WakeMed Health system based in Raleigh, N.C. “In order to really think about population health, you have to have analytics,” he says. And, while some organizations, such as Kaiser Permanente, Intermountain Health, and Geisinger Health “have been in middle-aged maturity for a while, on average, nationwide,” he says that, in terms of overall development, “we’ve moved out of elementary school, and maybe we’re middle-schoolers or adolescents. And as a health system, provider group, or plan, you have to be positioned the right way to begin playing in population health, and that takes years to build. We’re seeing the fruits of the early labor; the people who invested in people, technology and tools, and infrastructure and process, are moving forward. And there are a lot more folks in a more mature stage than was true in 2012.”

And, says MACIPA’s Spivak, “I think if you don’t have the capacity to do analytics internally or the ability to buy it, you shouldn’t even be in upside-only risk. Because the only way to manage risk is to have very impressive analytics, and the analytics need to be at multiple levels. You need analytics, for example, that will tell you in a global risk model, where you’re sending your nursing home patients. If you’re not on an EHR that allows you to monitor the quality performance of your primary care group in terms of immunizations, diabetics and blood pressure, how are you going to do quality improvement programs? You need the data. So the only way to succeed is with some kind of data platform that generates both quality and utilization information. And there are plenty of groups out there that you can buy it from.”

“One of the biggest challenges is the problem with trusted data, reliable data, and timely data exchange, and the establishment of regional and even national data-sharing networks,” says Chet Stagnaro, a principal with Impact Advisors. The Sacramento, Calif.-based Stagnaro says that “Providers need greater transparency into the real cost of the services they provide. And they have to achieve greater insights into care delivery and outcomes, and need to look more deeply into clinical workflows. Many times, providers don’t necessarily have access to the data to understand the best choices available, with respect to managing costs.” In order to achieve success in value-based contracting, he says, “It’s all going to be having the maximum information and choices to manage workflow and care delivery.”

Still, even though the leaders of many patient care organizations across the country are moving forward as quickly as possible to do what’s necessary to become successful in the emerging value-based healthcare world, there is considerable complexity involved in that journey, says James Whitfill, M.D., chief transformation officer at the five-hospital HonorHealth system in Phoenix.

“Overall, across the country,” Whitfill says, “there continues to be this pressure in terms of taking on more risk—on the macro and micro levels. Geisinger, Intermountain, UPMC, and Kaiser, obviously—these big combined payer-provider organizations continue to grow. And they have the greatest incentive to manage populations. At the micro level, having been involved in the MSSP world, I see CMS continuing to incentivizing smaller physician groups not attached to hospitals to participate, giving them more time to participate in upside contracts—and they continue to be more successful than hospitals.” Still, he says, MSSP ACOs continue to be challenged by the shifting benchmarks assigned to them by CMS. “We went from tens of millions of dollars’ worth of savings in 2017,” he says, “to seeing it drop into low single digits in 2018; and it’s not that our spending went up during that time, it’s that the benchmark was pushed down. So that’s rather demoralizing.”

Cybersecurity: industry experts see major security management gaps

Our survey asked readers a number of questions regarding cybersecurity or data security. Here they are:

“Have you implemented significant network segmentation, including around your EHR, medical devices, and other critical clinical information systems and computerized devices?”

“How often do you perform backups of your core information systems?”
  • Daily: 64 percent
  • Between daily and once a week: 18.7 percent
  • Between once a week and once a month: 10.7 percent
  • Between once a month and once a year: 4 percent
  • Less often than once a year: 2.7 percent

“Do you perform audits on your information system backups?”

Have you engaged the services of an external security operations center (SOC)?”
  • Yes: 44 percent
  • Not yet, but plan to do so: 14.7 percent
  • No plans to do so: 41.3 percent

With regard to the first three IT security-related questions above, Mac McMillan, the CEO emeritus of the Austin, Texas-based CynergisTek consulting firm, says, “The last is the most important,” referring to audits of backups. “If you haven’t done the last one”—auditing your backups—”it means you don’t have the ability to detect, and you’re not ready.” The fact that nearly half of patient care organizations haven’t yet done significant network segmentation, he says, reflects “how difficult and costly it is to segment a network, especially a large one, once it’s been developed over years in a flat format.” Still, he warns, “As your network is still flat, the attack surface is far bigger than if it weren’t.”

Asked whether healthcare IT executives and managers who never do backups should be fired, McMillan says, “I’m sorry, but that’s negligence. Even backing up once a month, given the amount of activity that goes on in any hospital on any given day, is negligent,” he says. “A lot of organizations do a full backup once a week, and a partial backup every day. Smart organizations do a daily partial backup, and then do a full backup on the weekend, which is everything, plus all of their system configurations. It’s not just your data, but also all the configurations for all your systems. What typically hurts most organizations in an outage is not an ability to restore their data, but their systems—every system on the network.”

One of the very big challenges involved, McMillan says, is around the complexity of configurations. “Think about the average hospital today, which has hundreds or thousands of servers, thousands of workstations, and thousands of applications,” he offers. “Every one of those systems and applications is configured based on how they’re being used today. Things that get information from or to the EHR have to be configured to work with the EHR. And they’re configured based on their version today.”

Peering into the near future, McMillan says, “Whether we like it or not, cyber has become a new, mainstream criminal activity, across industries. As a result, he says, “More people will be using SOCs”—security operations centers—hosted by IT security firms. Most hospital-based organizations, he says, simply are not positioned to handle all the complex tasks and challenges facing patient care organizations nowadays, in the current and emerging IT security climate.

With regard to the staffing and funding in that area, Sharp’s Marx says that cybersecurity is receiving considerably more funding now partly because of its underfunding until recently. As an industry, she says, “In the planning we did, we knew we were underfunded; we needed to ramp up to where we needed to be, and then we’ll ultimately back down slightly and plateau. A lot of people say that their IT percentage of overall organizational expenses, are 3 to 4 percent; they’re spending 7 to 8 percent on security, but will probably back down ultimately to 5 to 6 percent. The 7 to 8 percent on security is of the overall organization, too.”

Our survey also asked whether a respondent’s organization has a chief information security officer (CISO), and to whom their CISO reported, if they had one.

Respondents were then asked, “To whom does your CISO report?” Thirty-one percent said to the CIO; the same number said to the CEO; 24 percent answered “other”; and 5 percent said to the CFO.

“I’m very passionate about the need for CISOs,” says Shefali Mookencherry, a principal advisor with Impact Advisors. “When an organization doesn’t have a CISO designated, I feel as though they’re trying to get by,” she says. “HIPAA says you need a designee as a security officer, to comply with their statute. But organizations should be investing in a CISO, because that one individual can drive processes throughout the organization, as an everyday concern, and not as an afterthought, in terms of HIPAA compliance. CISOs also can help to create a security culture. And the most important element of the CISO role is providing the education to the board, and that positions the organization to better handle any threats that come their way.”

Sponsored Recommendations

Northeast Georgia Health System: Scaling Digital Transformation in a Competitive Market

Find out how Northeast Georgia Health System (NGHS) enabled digital access to achieve new patient acquisition goals in Georgia's highly competitive healthcare market.

2023 Care Access Benchmark Report for Healthcare Organizations

To manage growing consumer expectations and shrinking staff resources, forward-thinking healthcare organizations have adopted digital strategies, but recent research shows that...

Increase ROI Through AI: Unlocking Scarce Capacity & Staffing

Unlock the potential of AI to optimize capacity and staffing in healthcare. Join us on February 27th to discover how innovative AI-driven solutions can revolutionize operations...

Boosting Marketing Efficiency: A Community Healthcare Provider’s Success Story

Explore the transformative impact of data-driven insights on Baptist Health's marketing strategies. Dive into this comprehensive case study to uncover the value of leveraging ...