January-February Cover Story
In a time of extraordinary change and tension in U.S. healthcare, the leaders of patient care organizations are navigating an exceptionally unsettled and unstable landscape. As everyone knows, the COVID-19 pandemic has impact patient care organizations in many ways, and has highlighted the need to leverage leading-edge data analytics in order to navigate the instability of the moment and to move forward. How are IT budgets being impacted? How quickly are leaders moving to make analytics a core part of the solution to a welter of problems and challenges? How quickly are they shifting into risk-based and other value-based contracts during a time of hesitation and uncertainty? And how are they managing the intensifying cybersecurity threat vectors right now?
For the third year in a row, the editors of Healthcare Innovation surveyed patient care organization leaders nationwide, through an online survey conducted in November and December of last year. In the following article, readers will see how more than 100 senior patient care organization leaders responded to this year’s survey questions, and will hear how leading industry experts view the results.
Mixed news on the value-based delivery and payment front
The COVID-19 pandemic has jumbled a lot of predictions that industry analysts had been making regarding the advancement of value-based and especially risk-based contracting. A year ago, when we asked survey respondents, we got the following results: 35 percent were participating in the Medicare Shared Savings Program (MSSP); 22 percent were participating in the Next Generation ACO (accountable care organization) Program; 27 percent were participating in a Medicaid ACO program; 42 percent were participating in an ACO or value-based contract with a private health insurer; while 38 percent were participating in no value-based program (of course, the percentages of participation add up to more than 100 percent, since many organizations are participating in multiple types of programs).
But this year? The percentage of those participating in the MSSP has dropped slightly from 35 percent to 32.67 percent; the percentage participating in the Next Gen program (which has just been shut down) dropped to 14.85 in 2021; the percentage participating in a Medicaid ACO program has dropped from 27 percent to 19.8 percent; the percentage involved in a private health plan contract has fallen from 42 percent to 37.62 percent; but the percentage not participating in no value-based program has dropped to 29.7 percent, meaning that more are participating in some sort of value-based program.
Interestingly, though, the percentage of organizations taking on downside/two-sided risk has shifted in interesting ways. For example, the percentage of organizations with 0-5 percent of their revenues coming from two-sided risk contracts has gone from 22 percent a year ago to 32.67 percent this year, though the percent with 50-10 percent of their revenues in two-sided risk has gone from 12 percent a year ago to 9.9 percent this year. Organizations with 10-15 percent of their revenues at downside risk? 18 percent last year and 10.89 percent this year. How about 15-20 percent? Only 4 percent last year but 9.9 percent this year. More than 20 percent? Only 4 percent last year, but 5.94 percent this year.
What do those numbers mean? “That data suggests that the relative amount of risk that providers are taking on is increasing; that makes sense to me,” says John Klare, co-CEO at the Naperville, Ill.-based Impact Advisors consulting firm. “A broader construct that’s interesting,” Klare says, “is that my gut sense tells me that there are advantages and disadvantages in taking on partial risk. The advantage is you reduce the downside risk exposure, but the disadvantage is that it’s hard to hold onto the benefits.” Indeed, one of the criticisms of the benchmarks currently built into the MSSP program is that they make it harder over time for participating ACOs to continue making significant progress to the point where they continue to see shared savings. “Yes, that’s right,” Klare says. “If you set my contract at saving $5 this year on $100, next year, their contract will be written at 95 percent. So I think that providers should consider full-risk contracts. I think if they keep taking partial risk, over time, you can’t win that game with payers. Whereas if you take full risk and keep the contracts aligned and are able to perform well, you can gain the advantage. There are benefits in taking full risk in certain markets.”
These complicated results, Klare says, speak to a fundamental truth, even in the face of the pandemic-induced challenges of the current moment. “I think that providers feel that they’re increasingly being asked, if not even driven, into value-based contracts,” he says. And there’s a lot of money coming into the field to support disruptors. And some of the private equity money is really interesting, because the valuations seem to be extraordinarily high for some of those new companies, as though the private equity people believe there’s a tremendous growth opportunity.” Could risk-based contracting accelerate dramatically in the next couple of years? “It could, depending on disruptors coming into the marketplace and how much energy you see coming from for-profit companies,” Klare says, “but it’s hard to predict.”
What are the broader implications of these survey results? “I think number one is that whatever you do has to be completely integrated and coordinated with the physicians providing the care, says David Joyner, CEO of the San Ramon, Calif.-based Hill Physicians, a 5,000-physician IPA (independent practice association) that is both one of the largest and one of the most advanced physician organizations in California, and which has been nationally recognized for decades for its advanced work around population health management. “The pitfall that people can fall into when they think about value-based care, is that they think that value-based care is about hiring nurses and care managers, etc.; but what really makes the difference is having the physicians be aligned with what you’re trying to achieve. It’s things like providing data to them. For example, we have tools the physicians can use that identify gaps in care, and ranks the patients by their number of gaps in care. Physicians can easily hand that to their case managers. The point is integrating with physicians at the core place where physicians and patients interact.”
There are complex policy, payment, and healthcare market dynamics at play right now, says James Whitfill, M.D., senior vice president and chief transformation officer at the six-hospital Honor Health integrated system based in Scottsdale, Ariz. “There are a couple of things going on out there,” Dr. Whitfill notes. “In many markets, outside of Medicare Advantage, many health plans might not truly be ready to go into value-based contracting. And for providers, it’s important to spread one’s investments out across multiple payers. And I think CMS and CMMI [the federal Centers for Medicare and Medicaid Services, and the Center for Medicare and Medicaid Innovation] are starting to get a bit more focused; we may even see some of the options shrink in the next few years. So I’m skeptical that things will move really fast in the next few years. And CMS and CMMI—they know there has to be more than one program, but these programs start to overlap. And as an organization that’s tried to do BPCI [the federal Bundled Payments for Care Improvement Initiative] at the same time as MSSP, these programs can start to overlap and make this more complex. So I think they’re trying to make that easier to get more participants.”
Moving forward on data analytics
Of course, one of the core foundations of establishing the population health management and care management programs needed to facilitate success in value-based and risk-based contracting is the successful leveraging of data analytics. How far along are provider leaders, along that dimension?
This is how those surveyed responded: 31.68 percent of respondents said that “We are advanced in our analytics development”; 42.57 percent said, “We are early on in our analytics journey”; meanwhile, 9.9 percent said, “We have not used data analytics until now”; and 6.93 percent said that “We have no plans to use data analytics on any level of scale,” while 8.91 percent said they were not sure. A year ago, 37 percent described themselves as “advanced” in their analytics department; 38 percent they were “early on” in their journey; and 12 percent had not used data analytics until that point, while 12 percent said they had no plans to move forward on data analytics.
If the leveraging of data analytics is foundational to successfully pursuing population health management and care management in the context of value-based contracting, how are healthcare IT leaders doing, with regard to the resources needed to support analytics work? Among this year’s survey respondents, 30.69 percent said that more than 10 percent of their organizational revenues on health IT; 33.66 percent said they are spending between 5 and 10 percent of those revenues on health IT; 16.83 percent said they are spending 0-5 percent on health IT; while 18.81 percent are not sure. A year ago, the results were thus: 35 percent said more than 10 percent, 34 percent said 5-10 percent, and 31 percent said 0-5 percent.
Have health IT budgets increased, decreased, or stayed the same? Fully 65.35 percent of respondents report that their budgets have increased over the past years; 20.79 percent say their budgets have stayed the same; and only 5.94 percent say they have decreased. A year ago, those figures were 67 percent, 26 percent, and 7.5 percent, respectively.
Looking at those results from this year and last year, DJ Skalsky, a vice president at Impact Advisors who oversees the firm’s IT Advisory Services, says, “I was surprised: the ‘more than 10 percent’ figure was higher than I expected it would be. When we talk in the industry, most organizations fall within 4-6 percent of revenues spent on IT right now. I think that that dialogue may need to adjust over time. There may be a couple of causes; labor costs are increasing. Another element is that organizations are getting larger, and with that, they’re able to consolidate IT and pull it in centrally, and then all of a sudden, you have more visibility into the numbers. So it’s not always that you’re actually spending more money, is that you have more visibility. And responding to the survey result that 64.52 percent of respondents have seen their IT budgets increase over the past two years (last year, that figure was 67 percent), while 21.51 have seen their budgets stay the same (that figure was 26 percent a year ago), and only 5.38 percent report that their budgets have decreased over the past two years (that figure was 7.5 percent last year), Skalsky says that “I do see budgets expanding over time; that has to do with technology being more relevant; AI is starting to become a useful tool. And providers are realizing how much they need analytics. So when you start to realize you need the tools, you add them into your environment, and simply because of that, and because of the need for analytics, the total cost of health IT will go up” in the years to come.”
Indeed, with regard to the accelerating demand for analytics to support value-based care delivery, Skalsky says that, “Yes, it’s multidimensional. You’re trying to manage the care and the spend. And you’re going to have to consider the social determinants of health (SDOH), and health information exchange (HIE), to get data from all the partners you partner with for care delivery. So, yes, the necessity for analytics is exacerbated with VBC and will continue to be a need going forward.”
Cybersecurity: exploding threat vectors
If there’s a single area of deep concern in healthcare these days apart from overall financial stability, it is the intensifying set of cybersecurity threats facing patient care organizations nationwide (and indeed, globally, for that matter. Asked what their experience with cyber threats and attacks has been relative to one year ago, 45.05 percent of survey respondents said that it has become more challenging, while 36.26 say it has stayed about the same. Only 3.3 percent reported that it has actually become less challenging. Industry experts are all in agreement: things are becoming worse, more dangerous, now. “Based on our experience with our clients, I’m obviously in the camp that says this year has been more challenging,” says Mac McMillan, president and CEO of the Austin, Tex.-based CynergisTek consulting firm. “And it’s more challenging not just because the threat continued to intensify, but because healthcare IT leaders have more issues on their plates, including the pandemic. And the whole thing where insurance is essentially backing away from the table, making it more difficult to get coverage. Overall, it’s been much harder.” What’s more, he says, “From a staffing perspective, a lot of patient care organizations actually lost staff; people left their jobs. So health systems were already resource-constrained, and became even more so. And moving everybody to a remote platform; nobody ever imagined having their IT organization outside the building; and it wasn’t just the security issues around the remote connections, but the number of remote connections they had to support was far larger than ever before. And then the workflow things that were impacted.”
Meanwhile, when asked, “Has your organization experienced a malware attack, a ransomware attack, or other form of cybersecurity breach that has led to significant disruption of EHR [electronic health record] or other information systems usage?” 16.48 percent said yes, 70.33 percent said no, and 13.19 percent said they weren’t sure. Asked whether the 16.48 figure seems a bit low, McMillan answers, “No, because the way people define ‘significant disruption’ is two or more weeks of downtime. And that number is still relatively low; but if you look at the percentage of organizations that have experienced some level of outage is 93-95 percent; it’s damned near everybody.”
When asked how often their organizations are performing backups of their core information systems, 52.75 of respondents said “daily”; 17.58 percent, between daily and once a week; 4.4 percent between once a week and once a month; another 4.4 percent between once a month and once a year; and 1.1 percent, less often than once a year. Reacting to those results, McMillan says, “If it’s a core system in a hospital and they’re not backing it up daily, they’re scaring the hell out of me. The whole thing with backups remains not just that you’re doing it, but where you’re putting the backups, so that the hacker who gets in, often now, they’re encrypting the backups before encrypting the systems, because they’re sitting on the same network. In a conversation today, someone was asked to pull out their incident response form; they couldn’t do it, because it was sitting on the network. And often, even if they’re doing the backups, the question is, do you understand how long it will take to back up your entire system?” In most cases, he notes, “The amount to pay the ransom is far less than the money you’ll lose in missed opportunity while you’re waiting for your backups to restore.”
What about two key areas of concern, around network segmentation and around cybersecurity insurance? We asked executives whether they had implemented network segmentation: only 51.49 percent had done so, to date, though an additional 13.86 percent planned to do so, while 15.84 percent had no plans to do so, and 18.81 percent were not sure. Meanwhile, 45.54 percent have purchased cybersecurity insurance; and another 13.86 percent are considering doing so, while 15.84 percent are not planning to do so.
And the landscape around cyber insurance is shifting, as more and more patient care organizations are hit with attacks. Richard Staynings, a lecturer in cybersecurity at the University of Denver and the chief security strategist at the New York City-based Cylera cybersecurity services firm, says, “Yes, premiums have more than doubled for most organizations I’m familiar with; and that’s a reflection of rising risk factors. And also, yes, after a breach, the insurance company does an investigation, and determines that you failed to put some defenses in place, so they’ll reduce your $5 million to $1 million based on your failures.” As for network segmentation, he says that “I would suggest that if 51 percent are saying they’ve got properly segmented networks, they’re probably not understanding what ‘segmented networks’ actually means. Putting your medical devices on a separate VLAN is one thing; actually segmenting your devices securely to an enclave that cannot be accessed, is another thing altogether. Segmentation is not simple; it’s fairly complex, in terms of the types of security technologies that can be used. You really have to look at compensating security controls, which means micro-segmentation. And keeping profiles up to date remains the biggest challenge—creating an accurate profile of devices, so that they can be segmented or micro-segmented.”
What’s more, Staynings says, even such physical elements in patient care organizations as ventilation (HVAC) systems and elevators are now vulnerable. “All hospitals really need to be building a plan for micro-segmentation, for both medical devices and such areas as HVAC, including elevators. Most of those elevator and HVAC systems are being remotely controlled now. And if you don’t have negative airflow in your ORs, you can’t operate. So there’s a lot of equipment in today’s hospital organizations that really need to be given extra layers of security. And unfortunately, it’s an uphill battle for organizations without adequate technology and support.”
Gary Gooden, chief technology and security officer at Seattle Children’s Hospital, adds that, “in many organizations, your cybersecurity practice is not linked to your infrastructure practice. And you’ve historically had silos in terms of work, with internal bureaucracies that end up being brakes on progress. You need to show leadership” as a CISO in order to align processes, he says. “And your DR [disaster recovery] teams have to be tied into how you back up and store on a systemic basis.”
Additional data points around cybersecurity are as follows: asked whether they’ve engaged the services of an external security operations company (SOC), 30.99 percent said yes; and an additional 12.87 percent plan to do so. Just 29.7 percent have no plans to do so, while 26.73 percent remain unsure.
Meanwhile, 37.62 percent of organizations have a chief information security officer (CISO), while an additional 12.87 percent plan to hire one; but fully 49.5 percent have no plans to do so. Among those organizations that have a CISO, that person reports to the CIO 28.71 percent of the time; to the CEO 12.87 percent of the time; to the CTO 5.94 percent of the time; and to either the COO or CFO 4.95 percent of the time, each.
Moving forward into the future with hospital-at-home programs, and AI
With regard to more and more systems and machines being connected going forward, one development that will doubtless require attention, when it comes to cybersecurity concerns, will be the emergence of hospital-at-home programs. We asked survey respondents whether they have established hospital-at-home programs yet. Among those for whom the question was applicable, the following are the results: 14 percent have fully implemented a hospital-at home program; another 14 percent have gone live with an initial implementation; and 42 percent are in the planning stages. Meanwhile, 29.8 percent have no plans to implement such a program.
Asked in which area of activity their organizations have moved forward to adopt artificial intelligence (AI) and machine learning (ML), 50.5 percent of respondents indicated that they hadn’t yet moved forward in any area. Meanwhile, 30.69 percent have moved forward in some clinical area (patient care delivery, clinical transformation, etc.); 22.77 percent have moved forward in an operational or administrative area; and 16.83 percent have moved forward in a financial/revenue cycle management area.
Meanwhile, asked what their top strategic IT priority was going into the next 12 to 24 months, respondents indicated the following: EHR optimization, 34.65 percent; data analytics optimization, 18.81 percent; infrastructure and platform development, 17.82 percent; and revenue cycle management optimization, 9.9 percent. Meanwhile, 13.86 percent were not sure, and 4.95 percent indicated other top priorities, among them, “ERP replacement/modernization,” “operational efficiency and scalability,” “website design,” and “wide implementation of Epic over three major health networks.”
When it comes to priorities, there is good news on one specific area: incorporating the social determinants of health (SDOH) into population health management and care management work. Among respondents, fully 59.41 percent are already incorporating SDOH into their population health and care management work, and an additional 19.8 percent are planning to do so soon. Only 15.84 percent have no plans to do so, while 4.95 percent are not sure. Those results have changed considerably over the course of a year; last year, 44 percent of respondents had already been incorporation SDOH, while 34 percent planned to do so, and 22 percent had no plans to do so.
