Here’s what you need to know to help your CIO make financially sound decisions
There are aspects of technology that you, as a CFO, need to worry about – but becoming unnecessarily absorbed in technical details might make you overlook practical concerns and following all the advice in healthcare management books might leave you thrashing around in the weeds.
Here’s what you need to know:
What you don’t need to worry about
Recognize the difference between yourself and the CIO or CTO – and enjoy it. Your role is encouraging the chief technology officer to make financially sound decisions and consider long-term financial implications. The CTO’s role is figuring out the technology that meets those criteria.
So a question you might ask is: “Let’s say we acquire X number of practices over the next five years – will we be able to aggregate and work with the data from all of those different PM and EHR systems?”
If, on the other hand, you find yourself stressing about SQL versus MUMPS, take a deep breath and relax. That’s your colleagues’ problem.
What you do need to worry about and why
The Cloud and Software-as-a-Service (SaaS)
Some say the cloud is a shining liberator of financial and operational resources, a panacea for cost centers.
It can be – but the truth is more complex.
Cloud technology’s advantages include:
- SaaS shifts the burden from your capital budget to your operating budget, and the upfront investment is significantly lower. Rather than building/hosting the servers or paying high software licensing fees, you access the software you need in a web browser.
- SaaS reduces or eliminates the need for your IT staff to handle server maintenance.
- As you grow, you can add additional cloud-based server space without the disruption and cost of building new servers, which also eliminates the risk of running out of physical space and having to relocate all servers to a new location.
In addition, pure SaaS means patches and updates occur on the vendor side and are reflected across the software for all users. On 100 percent of SaaS platforms, all users run the most current version, which is worth noting because outdated software is more vulnerable to attack and less likely to reflect current regulations or payer requirements.
Determining the right mix of SaaS and on-premise technology for your organization requires balancing the desire for direct control with the realities of technological prowess (and cost).
For example, you can’t deliver care without the machines and systems that regulate medicine and enable healthcare functionality, so you should maintain full and direct control of the underlying technology. That way, you control planned outages, you can prioritize maintenance/repairs, and you’re ultimately responsible for the technology’s reliability. Makes sense, right?
It does – and it might be the right decision. Nonetheless, you have to honestly appraise your ability to maintain the underlying technology, and then compare your ability to that of a potential vendor. Differences that exist aren’t a reflection on your organization – after all, your core business is delivering care, not managing technology. But consider those differences as you make your decision.
Although day-to-day privacy and security might fall under another executive, the financial ramifications of an insecure network or security breach are potentially catastrophic. Security demands your direct attention.
When assessing on-premise and in-house security, consider:
- Access and access monitoring. Who can access sensitive information, and how is their activity monitored and recorded? Is software in place to flag suspicious or unusual activity?
- Remote access and VPNs. All sensitive information should only be accessible remotely via VPN (virtual private network). Not every employee needs VPN access, and providing it indiscriminately creates risk and the need for additional monitoring. VPNs can reach capacity, especially when many employees are working remotely (think severe winter weather). So you may want to set up an additional, alternative VPN for times when traffic spikes.
- Network infrastructure and architecture. For examples of why this matters, look up how large retailers were recently hacked. If basic forms of access to your network provide a straightforward path to the systems housing your most sensitive data, you’re inviting a terrible form of trouble.
When assessing your vendors’ security, consider:
- Accreditation and compliance:
- If a vendor performs outsourced services that affect your financial statements, they should provide an SOC I Type II report.
- Vendors offering credit card and payments processing should be PCI Level 1 compliant.
- Healthcare IT vendors should be EHNAC-accredited and CORE CAQH-certified.
- Security record and policies. Check if they’ve suffered a breach, and ask what types of monitoring and alerts they have in place.
You need technology that can support you as you grow. Ideally, it should be able to support rapid growth – such as large or multiple acquisitions – but still be a cost-effective way to meet your current needs.
As an example, perhaps you need server space to store radiology images. Let’s say you suddenly needed to store twice as many, or 10 times as many. Do you have the capacity? Have you selected a vendor to handle overflow if needed?
Scalability also means scaling across locations and systems. A general example: with the wrong software, single-click tasks for providers running EHR system X might be manual, cumbersome nightmares for those using EHR System Y. That impacts productivity and creates risk in the form of lost or slow-to-arrive information. Moreover, it’s an illustration of why scalability, interoperability and vendor-neutral functionality often go hand-in-hand.
Information silos are the enemy of financial well being. If you don’t have visibility across systems and can’t drill down into the data, you risk being blindsided, and you’re less likely to catch problems early enough to limit their impact.
You need full visibility into the data driving your overall business performance. In today’s healthcare world, that means visibility into clinical quality, utilization and financial performance.
By mobile I mean all the ways that mobile technology currently impacts or could impact your costs and operations.
Take WiFi, which falls under mobile. My recommendation for how many wireless access points (WAPs) you need might surprise you: enough to accommodate 400 percent to 500 percent of planned normal capacity.
Here’s why. I’ve heard too many stories of companies only learning the capacity lesson the hard way: their WiFi network crashes during a high-profile event such as a conference or large meeting. They had plenty of WiFi capacity – until 300 more people with one or two mobile devices each tried to connect.
So as you calculate capacity, consider conferences and events you might host, as well as areas where large numbers of employees gather. Factor in whether patients and their families can connect to your WiFi, and whether employees currently using desktop computers might switch to laptops in the future.
Closing thoughts: choosing the right technology partner
A vendor’s vision and roadmap give you insight into whether they can meet your organization’s long-term needs. Here’s a simple framework for evaluating vendors with the future in mind:
Their roadmap should reflect relevant regulatory initiatives such as ICD-10 and meaningful use. If any system isn’t yet compliant, there should be a clear target date for when it will be. (How close to the deadline they’re cutting it tells you something about their ability to stay ahead of the curve.) The roadmap should also reflect industry changes such as value-based care and rising patient responsibility, and articulate a clear vision for addressing these changes.
Finally, there are two simple questions to ask about any potential technology vendor: How well does their vision align with where you want to be? How does what they offer today help you get there?