John Kenagy, PhD is SVP/CIO and chief information security officer of Legacy Health of Portland, OR.
Tell me about yourself and Legacy Health.
Legacy Health is headquartered in Portland, Oregon. We’re a health system that operates in the southwest Washington / Portland area with six hospitals — two urban, a children’s hospital, three suburban hospitals, and a number of clinics. It’s a typical community-based health system with employed physicians and clinics, moving towards population health and more risk. A very traditional health system founded in 1875.
I have been the CIO here for about three and a half years. I’ve been a CIO for 26 years and have had the distinct honor to have worked in interesting organizations that were each very different. First in the VA system — I worked there for 13 years with my final job as a regional CIO, Then Oregon Health & Science University, the academic medical center here in Oregon. Then Providence Health & Services, a Catholic system throughout the west. Now Legacy.
What discussions are you and your peers having about how the organization should look in five or 10 years and IT changes that will be needed to support those changes?
Two themes are recurring and they’re very interrelated. One is the whole area of population health and risk. Value-based purchasing is risk, taking the entire premium and accountability for lives. That transition from paying for providing healthcare to maintaining health and what that implication is organizationally and of course from a technology perspective. The other one is around insurance. We’ve been a traditional healthcare provider for many, many years. Do we — through either partnership or de novo creation — get into the insurance business?
Let me start with the first one, because I think it’s challenging and fascinating. I think all my peers are working on the same kind of issues, which is, as we move from patient care to population health, it is forcing us to look beyond the four walls. Whether that’s accountable care organizations, bundled payments, or again risk for care not only delivered in your organization, you want to do it the best value — the optimal quality at the lowest cost.
What happens when that patient is on vacation and goes to an ED? That cost is now attributed to your bundled payment, readmissions, and working outside of just the four walls. If you are a traditional organization like Kaiser or the VA, which has all that care within its organization, that’s one thing. You can control the IT, systems and access. For an organization like ours, which is very much a community-based hospital system, we employ 500 doctors, but our medical staff is 2,000. Those other 1,500 are not on our EMR. They’re very independent. They value their independence and worry about when the hospital tries to get more into that.
In the future, with population health and new payment mechanisms that focus on the overall quality and experience of the patients, it’s really a good thing. We’ve been working many years on integrating all of our data into a single system. We are an Epic shop and love the fact that we have an integrated information system, but now with population health, we are consciously moving away from a 20-year ride toward integration into a single database only to say, "That’s great for our hospital, but now we need to play well with every other EMR and now claims data and insurance information."
The complexity of how to do that is extremely challenging. We’re working through that right now, as I think many vendors are, and of course the EHR vendors as well.
Some publications and Epic detractors claim there’s a backlash against Epic after all these years. Is that the case? What is Epic doing right and wrong?
I see that a lot. The paparazzi follow the popular stars. Bad press comes to successful people. It’s our sick culture of wanting to kick the person in the top primary position. I think that’s what’s happening with Epic right now.
I am very pleased that we have Epic as our partner here at Legacy. I think that makes our healthcare better because of the integrated system across inpatient ED and outpatient, not to mention revenue cycle and all the other things. It’s an amazing organization that is very dedicated at its core to a patient care, but also to the success of its partners. I value that greatly.
I wouldn’t say this is what they’re not doing well, but they are burdened by the fact that they are a fully integrated system and have everything from hospice and home health to very acute ICU. You have niche players in the population health space that are coming in a little bit with snake oil and saying how fabulous they are and it’s very easy.
These other vendors, these competitors — particularly in the population health space — are 100 percent dedicating all their energy, all their R&D, all their engineers on that niche product. That’s hard for Epic because they need to do that and other innovations while also making sure that we successfully meet all the Meaningful Use requirements and the transition to ICD-10. I wouldn’t say that that’s something that Epic is not doing right.
When you have an integrated system — CIOs deal with this all the time — we’re having to re-market that value of integration when in a niche clinical practice, operation, or this case pop health, our operational colleagues come with, "Here’s a vendor that’s promising to make it easy and doable." Everyone says they interface with Epic, but that makes it hard.
Which systems do you think you’ll need to buy from somebody other than Epic?
The big one, obviously, is blood bank. The easiest answer to that are the areas where Epic doesn’t have a product. If you’re a Meditech hospital, you can run payroll, materials management, and general ledger on your platform. Epic doesn’t do the administrative systems. They don’t want FDA regulation — not to speak for them — so they don’t have a blood bank system.
Obviously the items that are closer to clinical care and quasi-biomedical and quasi-EHR. One I’m thinking of is Provation for gastroenterology. We have a number of specialty clinical systems that attach into that system. Fetal monitoring, for instance.
The one that is challenging is business intelligence reporting and population health, where so much of the data resides in Epic but there’s also an incredible amount of data that is community EHRs and insurance information, payer information, and claims data.
We’re actually running two horses in the race. One is Epic and one is a different partner. Seeing where our long term is. I believe we’re in such the early infancy of that BI population health analytics world that I don’t think there’s a clear winner yet. We are exploring both Epic and partnership with Evolent in parallel.
Are genomics and personalized medicine important to your clinicians?
I don’t hear it. I love the way you phrase that question. Is it on our radar screen, or is it something that I’m being asked by our clinical folks? Not yet.
As a CIO, you’re always worried that there will be a sleeping giant, and then at the eleventh hour, we’ll get a knock on the door and they’ll want it in two and a half weeks. We’re keeping our ear to the ground, particularly genomics and how it would relate to pharmacy prescriptions and treatment planning. I think it’s probably end of the decade at the earliest. That’s kind of an off-the-cuff answer, but I think it’s going to be on our radar screen, but it’s not immediate.
If I’m a health IT vendor or consultant, how will my business change as big health systems get even bigger and swallow up what would have been their smaller competitors or different types of providers?
I’ve heard this era called the post-EHR era, which is funny, because it’s more like the post-EHR sales era. We’ll always have our EHR.
The challenge for us as providers and what we seek vendors and consultants to help us with is a combination of merger and acquisition. The bottom line of this is all the data needs to come together at the right point for making decisions, whether that’s a broader decision around going into a business or what do I prescribe to this patient right in front of me. As I said, our industry’s had this 20-year march towards moving from best-of-breed and integrating into holistic systems that see the patients together, a Cerner or Epic or Allscripts where you have a fully integrated record.
We are at Legacy at HIMSS 7 across all of our hospitals, so it’s a really successful deployment of Epic everywhere. Now we’re saying, we’re going to merge with a smaller hospital that has Meditech. We need to work very collaboratively within our community, within the larger ecosystem. Inherently that is 45 deployments of about 15 different EMRs and how to do that well so that the data that are relevant to making a clinical or operational decision is readily available.
That challenge, while we’ve been focused on integrating to a single system … the funnel has become narrow, and as soon as we’re at that narrow point, now it’s open wide. Get data from, as I said earlier, claims, other EMRs, and even people who are not yet automated. That’s a big challenge. We’re all forging this new ocean independently and a little bit alone. It’s interesting to be Christopher Columbus in this era.
What kind of services or service venues will be developed in recognizing that a hospital’s future isn’t just keeping beds filled?
That’s a great issue. It is something that’s on the top of mind of our leadership team. Moving even the paradigm from beds and hospitals being a profit center to being a cost center.
We’ll always need beds. America is aging. Acuity rises. What we’re doing is taking low-cost, low-acuity out of the hospital and even outside of the ambulatory to the home. What you’re left with is beds that are incredibly required and incredibly acute. You become an inpatient because you need nursing care, not for almost any other reason. Very high-tech stuff that happens in the hospital, but also around-the-clock surveillance by nurses. That challenges us to be able to incorporate data from the home and ambulatory and get that to clinicians so that people are being able to look at change in status regardless of the venue.
Once you’re discharged after an MI, are you gaining weight? Are you retaining water? Is there an issue with taking your medications? Being able to intervene in a trajectory earlier on rather than waiting for it to become acute and come back to the ED and have a readmission. From a data perspective, it really is a challenge to bring all that information and analyze it with machine code to inform and give the right care manager information at his or her fingertips.
Will costs eventually go down? Health system budgets always seem to grow no matter what reimbursement pea is put under what shell.
The cost of healthcare is interestingly a big topic with our board. Our management has been working on it all along, but it’s raised the attention to the board as the cost of the healthcare in America and what percentage of a company’s employee costs are going into the healthcare costs.
Our board members are community leaders. Some are physicians, but a number of them run their businesses. They’re great leaders in the Portland and southwest Washington communities. “It’s costing me more, so what are you doing, Legacy, to help bend this cost curve?" When the board has a focus on something, we in management pay attention as well.
I think that there will be improvements in cost. Not in the sense of quality, so that’s what the balancing act is. Value is a mathematical equation with outcomes and satisfaction on the top and cost on the bottom. You reduce value by increasing cost because the denominator goes up or you decrease value if outcomes and patient experience go down as you put too much attention to cost.
We’re working with a company called Strata Decision. That’s our financial management system. We’re one of the pioneer adopters of what they’re calling continuous cost improvement. It is a way to bring clinical quality and cost data together and inform managers of needless variation and where costs are going up. I’m very excited about it. I think a year from now, we’ll have rich information in the hands of managers, the OR, the orthopedic product line, and the cardiology product line that will inform them of variations in quality, variations in cost, and focus their attention on doing things that reduce needless variation.
Measuring patient satisfaction gives patients a voice, but there’s the question of whether they are qualified to evaluate anything beyond the hotel part of their hospital stay. Do you talk a lot about how to balance patient satisfaction versus the quality metrics that they probably wouldn’t even comprehend?
We do a lot. The interesting driver of that is transparency. Patients trusted their doctor. They certainly didn’t trust their insurance company and they barely trusted the hospital, but they certainly trusted their physician. When the physician said, "You need to become hospitalized and I’m referring you to Legacy because I value them," patients assume a level of quality because they don’t have the data. They don’t understand what quality looks like.
As information becomes more transparent about outcome quality, whether that’s Healthgrades or HealthCompare, we’re doing a lot to engage patients. We’re starting to deploy GetWellNetwork at all of our hospitals to get real-time patient feedback from inpatients. Rate your pain. How are we doing in terms of informing you of what’s going on? It’s not just TV and infotainment. It really is a way to get patient engagement real time.
It is a national commitment, particularly in Medicare, to do post-hospitalization surveys. You get that survey and it runs through their process, so you know six weeks later how the thing was. That’s driving the car looking only in the rear-view mirror. Being information driven. Being able to solicit information and feedback from the patients during their stay about how informed you feel, how satisfied are you, is there pain and other experience during the inpatient stay. Being able to intervene on that real time is a big driver for us.
How does a health system avoid becoming the next front-page breach victim?
You can’t, which is a bleak answer to that. I’m beginning to hear in the CISO industry in healthcare the need to change the paradigm from villain to victim.
The one that I am very concerned about is that the breaches that are happening now are very concerted, usually foreign, usually well financed. It’s not just the simple hacker that’s trying to get something or the “I Love You” virus that someone gets their jollies putting that into the email system and that propagates around the whole Internet around the world. We’ve got a lot of things that solve that. It’s the persistent phishing, very pernicious attacks, Anthem and the very big ones.
I don’t know how I alone at Legacy with my information security team – a great team of five people and our 300 people in IT – can be our own shield against the People’s Republic of China. I just don’t know how that is the expectation. We’re fairly sophisticated in terms of our information security portfolio compared to a smaller hospital or a physician’s office, but if the commercialization of medical record numbers becomes 20 times the value of a credit card number, how am I supposed to defend against literally a foreign invasion done through electronic mechanisms? I think there needs to be a lot more federal attention to that.
If we have a violation like that, because of HIPAA, we become a villain. Turning a blind eye and basically saying, "There’s no defense and I can’t help myself" is an abrogation of your responsibility. But putting in the normal standard things and even advanced systems and surveillance and protections, you still get violated by persistent attack, a foreign-generated persistent attack. We have started changing our language from “if it happens” to “when it happens.”
Should there be a different level of concern or public announcement if information was actually used versus just exposed?
Right. Both our laws and the way we deal with it need to step up to where we are in terms of the real risk. All of our laptops are encrypted. Flash drives are encrypted. All of our actually desktops, so if you break a window and steal a desktop, data aren’t stored locally on drives any more and all that sort of thing. That kind of due diligence.
Like you said, it is the persistent attack. That’s a different level of breach. This whole cybersecurity thing has been a boon to the identity theft industry, because the first thing you do when you’ve lost medical records is pay for everybody having identity theft protection. I personally probably have five offers of identity theft protection at probably $2.30 a person from five different companies, including my insurer, Target, and Home Depot. There should be a minimum on that for the whole country rather than every organization paying into that sort of thing.
What are the biggest threats and opportunities in healthcare IT as you see it from the CIO’s chair?
The biggest opportunity is bringing in additional data. Building off a platform, for us as a provider system with an integrated electronic health record and a fabulous partnership with our vendor, to springboard that. To just bring more information that improves the care of patients, inclusive of claims data and data from other EMRs where the patient is seen. Being able to coordinate care better across a large ecosystem that is very independent.
It’s not a single national health system. We have a multi-faceted delivery of healthcare. Being able to use information and data to enhance that coordination of care in a way that masks the organizational complexity of the healthcare industry. That is exciting to me because I think that that will improve care, reduce cost, and deliver on the Triple Aim that we’ve all been striving for and that is so data dependent. That’s both the threat and the opportunity. The opportunity is that we know what we want to achieve, and then the complexity of having to get to it.
Another threat that I see on the horizon between now and the end of the decade is, for me at Legacy, retirement of very good IT professionals who have more than two decades of experience with our organization. The complexity of hiring people, finding talent, finding talent in unique places like nurses who come in to the organization to become IT analysts. How to marry the phenomenal skills of clinical practice and information technology.
That whole theme is staffing and resources because technology is the simple part. It’s the people. It’s the change management. It’s translating imprecise needs to our physicians and nursing clinical partners into what we need to do for IT. That takes a very amazing talent that’s built over time. As I lose about a fourth of my staff for retirement, how to build that in in the new generation where there’s a competition for resources with consulting firms that are trying to recruit the best talent. That’s a big threat in my opinion, against that opportunity of weaving together all this information that resides in multiple different systems and databases in order to provide better patient care across our ecosystem.