Budgets and staffing to support organizational and transformation change are looking up, even as healthcare and healthcare IT leaders face enormous challenges in the shift from volume to value in U.S. healthcare delivery and payment, and in making concrete progress in the clinical and operational transformation needed to succeed under value-based contracts with public and private payers. Meanwhile, major gaps remain in enhancing the level of cybersecurity preparedness nationwide.
Those are among the findings of the Healthcare Innovation State of the Industry Survey, conducted online during the autumn of 2019. This article will focus on some of the major findings, with industry leaders and observers sharing their insights and perspectives on the major findings. The survey included responses from nearly 200 senior healthcare executives at hospitals, health systems, medical groups, and other patient care organizations.
Healthcare IT budgets and staffing: mostly good news
Let’s begin with some basic findings. We asked readers: “Compared to two years ago, how has your IT budget changed?”
More than seven in 10 respondents (73 percent) said their budgets have increased by less than 15 percent, while 27 percent said they’ve increased by more than 15 percent. About 7.5 percent of respondents said their budgets have risen by more than 25 percent.
“How large is your IT staff overall?”
- 1 to 25: 65.3 percent
- 25 to 50: 13.3 percent
- 51 to 100: 2.7 percent
- 100 to 150: 9.3 percent
- More than 250: 9.3 percent
The only negative finding is around staffing, where fully 65.3 percent reported staffs of 25 or under. That having been said, the survey respondents represent every size of hospital facility, including critical-access facilities, as well as medical groups; when that factor is taken into account, the results seem less dire.
As Zoph sees it, “No more than 75 percent should be on managing the technology in front of you. At a time when you have to either grow service lines or enhance things by adding new value—that could be optimization efforts, and all of that, involved in the next 20 percent, with 5 percent dedicated to truly totally new technology. So 20 percent should be devoted to improving on what we have, on operations to drive clear value; and then reserve a bit of that for innovation—incubating the future of your health system with technology, process, and risk-taking.” And that operating environment, he notes, is vastly different from what it was like 20 years ago, when so much time and effort were focused on implementing electronic health records (EHRs) in the then-still-largely-paper-based patient care organizations. Going forward, he emphasizes, healthcare IT leaders need to see data as “the new asset,” from which value can be created.
The shift to value—and the clinical and operational transformation involved
As everyone knows, the strategic, operational, and strategic healthcare IT trends of this moment are not coming out of nowhere; indeed, they are absolutely connected strongly to the shift from volume to value, a shift that is being forced forward by the purchasers and payers of healthcare who have decided that hospitals, physicians, medical groups, and all other providers of care can no longer continue on the trajectory that, according to the Medicare actuaries, will push the total annual costs of the U.S. healthcare system from the current $3.6 trillion (as of 2018) to $5.963 trillion by 2027.
That “burning platform for change” is focusing the minds of everyone in the U.S. healthcare industry, and is turbocharging the participation of patient care organizations—hospitals, medical groups, and integrated health systems—in value-based contracting.
Per that, the survey found considerable participation in value-based contracts.
Healthcare Innovation asked, “What kinds of value-based contracting is your organization involved in?” [respondents could say yes to as many as they were involved in.]Still, when asked, “Do any of your value-based contracts involve two-sided risk?”—only a minority are yet doing so:
- Yes, with Medicare (MSSP): 12 percent
- Yes, with Medicaid: 10.7 percent
- Yes, with private health insurers: 13.3 percent
- No: 64 percent
And, with regard to the data analytics needed to succeed under value-based contracts, the survey asked:
“Have you begun using analytics to support population health management and care management work?”
- Yes: 30.7 percent
- Not yet, but plan to do so soon: 45.3 percent
- No: 24 percent
And, we asked, “Have you implemented care management programs at the primary care level, involving physicians and teams?”
We then asked, “Are you actively working on incorporating social determinants of health (SDOH) data into your population health and care management work?”
Meanwhile, none of the clinical and operational transformation that will be necessary for patient care organizations to succeed under value-based contracts will be possible without the robust leveraging of data analytics.
“If I’m going to be in a universe where I have downside risk, I should really be advanced in my ability to leverage analytics for population health management; and for those who have implemented comprehensive primary care strategies, leveraging data analytics really is table stakes,” says Christopher DeRienzo, M.D., chief medical officer and chief quality officer at the three-hospital WakeMed Health system based in Raleigh, N.C. “In order to really think about population health, you have to have analytics,” he says. And, while some organizations, such as Kaiser Permanente, Intermountain Health, and Geisinger Health “have been in middle-aged maturity for a while, on average, nationwide,” he says that, in terms of overall development, “we’ve moved out of elementary school, and maybe we’re middle-schoolers or adolescents. And as a health system, provider group, or plan, you have to be positioned the right way to begin playing in population health, and that takes years to build. We’re seeing the fruits of the early labor; the people who invested in people, technology and tools, and infrastructure and process, are moving forward. And there are a lot more folks in a more mature stage than was true in 2012.”
And, says MACIPA’s Spivak, “I think if you don’t have the capacity to do analytics internally or the ability to buy it, you shouldn’t even be in upside-only risk. Because the only way to manage risk is to have very impressive analytics, and the analytics need to be at multiple levels. You need analytics, for example, that will tell you in a global risk model, where you’re sending your nursing home patients. If you’re not on an EHR that allows you to monitor the quality performance of your primary care group in terms of immunizations, diabetics and blood pressure, how are you going to do quality improvement programs? You need the data. So the only way to succeed is with some kind of data platform that generates both quality and utilization information. And there are plenty of groups out there that you can buy it from.”
“One of the biggest challenges is the problem with trusted data, reliable data, and timely data exchange, and the establishment of regional and even national data-sharing networks,” says Chet Stagnaro, a principal with Impact Advisors. The Sacramento, Calif.-based Stagnaro says that “Providers need greater transparency into the real cost of the services they provide. And they have to achieve greater insights into care delivery and outcomes, and need to look more deeply into clinical workflows. Many times, providers don’t necessarily have access to the data to understand the best choices available, with respect to managing costs.” In order to achieve success in value-based contracting, he says, “It’s all going to be having the maximum information and choices to manage workflow and care delivery.”
Still, even though the leaders of many patient care organizations across the country are moving forward as quickly as possible to do what’s necessary to become successful in the emerging value-based healthcare world, there is considerable complexity involved in that journey, says James Whitfill, M.D., chief transformation officer at the five-hospital HonorHealth system in Phoenix.
“Overall, across the country,” Whitfill says, “there continues to be this pressure in terms of taking on more risk—on the macro and micro levels. Geisinger, Intermountain, UPMC, and Kaiser, obviously—these big combined payer-provider organizations continue to grow. And they have the greatest incentive to manage populations. At the micro level, having been involved in the MSSP world, I see CMS continuing to incentivizing smaller physician groups not attached to hospitals to participate, giving them more time to participate in upside contracts—and they continue to be more successful than hospitals.” Still, he says, MSSP ACOs continue to be challenged by the shifting benchmarks assigned to them by CMS. “We went from tens of millions of dollars’ worth of savings in 2017,” he says, “to seeing it drop into low single digits in 2018; and it’s not that our spending went up during that time, it’s that the benchmark was pushed down. So that’s rather demoralizing.”
Cybersecurity: industry experts see major security management gaps
Our survey asked readers a number of questions regarding cybersecurity or data security. Here they are:
“Have you implemented significant network segmentation, including around your EHR, medical devices, and other critical clinical information systems and computerized devices?”
- Daily: 64 percent
- Between daily and once a week: 18.7 percent
- Between once a week and once a month: 10.7 percent
- Between once a month and once a year: 4 percent
- Less often than once a year: 2.7 percent
“Do you perform audits on your information system backups?”
- Yes: 44 percent
- Not yet, but plan to do so: 14.7 percent
- No plans to do so: 41.3 percent
With regard to the first three IT security-related questions above, Mac McMillan, the CEO emeritus of the Austin, Texas-based CynergisTek consulting firm, says, “The last is the most important,” referring to audits of backups. “If you haven’t done the last one”—auditing your backups—”it means you don’t have the ability to detect, and you’re not ready.” The fact that nearly half of patient care organizations haven’t yet done significant network segmentation, he says, reflects “how difficult and costly it is to segment a network, especially a large one, once it’s been developed over years in a flat format.” Still, he warns, “As your network is still flat, the attack surface is far bigger than if it weren’t.”
One of the very big challenges involved, McMillan says, is around the complexity of configurations. “Think about the average hospital today, which has hundreds or thousands of servers, thousands of workstations, and thousands of applications,” he offers. “Every one of those systems and applications is configured based on how they’re being used today. Things that get information from or to the EHR have to be configured to work with the EHR. And they’re configured based on their version today.”
Peering into the near future, McMillan says, “Whether we like it or not, cyber has become a new, mainstream criminal activity, across industries. As a result, he says, “More people will be using SOCs”—security operations centers—hosted by IT security firms. Most hospital-based organizations, he says, simply are not positioned to handle all the complex tasks and challenges facing patient care organizations nowadays, in the current and emerging IT security climate.
With regard to the staffing and funding in that area, Sharp’s Marx says that cybersecurity is receiving considerably more funding now partly because of its underfunding until recently. As an industry, she says, “In the planning we did, we knew we were underfunded; we needed to ramp up to where we needed to be, and then we’ll ultimately back down slightly and plateau. A lot of people say that their IT percentage of overall organizational expenses, are 3 to 4 percent; they’re spending 7 to 8 percent on security, but will probably back down ultimately to 5 to 6 percent. The 7 to 8 percent on security is of the overall organization, too.”
Our survey also asked whether a respondent’s organization has a chief information security officer (CISO), and to whom their CISO reported, if they had one.
“I’m very passionate about the need for CISOs,” says Shefali Mookencherry, a principal advisor with Impact Advisors. “When an organization doesn’t have a CISO designated, I feel as though they’re trying to get by,” she says. “HIPAA says you need a designee as a security officer, to comply with their statute. But organizations should be investing in a CISO, because that one individual can drive processes throughout the organization, as an everyday concern, and not as an afterthought, in terms of HIPAA compliance. CISOs also can help to create a security culture. And the most important element of the CISO role is providing the education to the board, and that positions the organization to better handle any threats that come their way.”