Are hospitals and health systems today relying more on the skills of IT vendors?
Photo: Frank Forte
In the last decade, physician practices, hospitals and health systems have hired IT vendors to manage their equipment, update business and clinical software, and support their clinicians and staff with tech problems.
Those services typically were all that was expected and needed, so IT was considered just another vendor on the organization’s balance sheet.
Much has changed, though. While healthcare’s goals of managing illness and injury are largely the same, the industry’s technology needs are immensely different and more critical to clinical and financial outcomes. For example:
- Healthcare data breaches of 500 patient records or more (mostly due to cyberattacks) increased from 199 in 2010 to 707 in 2022, according to the Department of Health and Human Services’ Office for Civil Rights (OCR).
- The annual number of ransomware attacks on healthcare organizations more than doubled from 2016 to 2021, according to the Journal of the American Medical Association.
- Reimbursable services with a telehealth component grew from 0.15% of all claims in January 2019 to 5.9% in January 2023 – a 3,370% increase.
- Smartphone ownership in the U.S. grew from 35% in 2010 to 91% in 2023.
As such, IT services have evolved with the times, with companies offering a wider scope of services and greater expertise far beyond "tech support." Health IT vendors now deliver prevention-focused cybersecurity consulting and training, long-term IT road-mapping, and even devote staff to serve as chief information or chief information security officers for client organizations.
Healthcare IT News sat down with Frank Forte, CEO of Anatomy IT, a health IT and cybersecurity technologies vendor, to talk about the changing nature of IT services.
Q. You have observed many changes in the nature of IT services in healthcare over the years. What are some of these changes?
A. IT services in healthcare transformed during the 2000s from largely a commoditized service to a true strategic partnership. Healthcare provider organizations today are more closely reviewing and relying on the specialized skills and expertise that partners bring above and beyond maintaining software and supporting users.
Of course, such table-stakes services are still essential, but for the deeper digital transformation process that many organizations are going through, a more strategic guidance and a preventive approach is needed.
Organizations have begun to turn to, or supplement internal IT staff and resources with, specialized and experienced IT partners who have an in-depth understanding of the complex regulatory environment in healthcare and the unique workflows of clinical and administrative staff.
While healthcare organizations may use some of the same IT equipment and applications as other industries, they do not operate like most other businesses, nor does a high-volume orthopedic or dermatology group practice have the same IT needs as a multi-hospital health system serving an entire state. A true partner needs to understand those differences and have a plan for every type of entity.
Another change is the nationwide consolidation occurring among specialty physician practices that are being acquired by private equity firms. These firms typically do not want to incur the time or expense of partnering with multiple IT-support companies in the many communities where these practices are located.
Instead, acquirers are looking for IT partners who can scale with and support a growing footprint of practices with some standardized processes and best-of-breed systems to help maximize their ROI in a short amount of time.
Q. What has been happening in healthcare or in IT services to cause these changes?
A. There are many reasons for this strategic shift toward IT partner selection in healthcare, the most significant being the massive digital transformation in how care is accessed and the historic increases in cyberattacks.
In October, for example, 2023 was already "on pace to smash all previous records" regarding cyberattacks, to quote the American Hospital Association’s national cybersecurity advisor John Riggi.
Riggi pointed out the OCR already had recorded 400 data breach incidents affecting 500 or more patients’ protected health information (PHI) for an estimated total of 74 million people impacted. COVID-19 and the worldwide disruption the pandemic created seemed to have inspired threat actors who often operate within highly organized cybercriminal organizations that strategically identify targets and launch attacks.
The incident volume grew so large during the pandemic that the FBI issued a rare advisory focused entirely on healthcare-targeted attacks.
Another major change occurring in health IT is the enormous growth of telehealth adoption among consumers that began during COVID-19. While levels have not sustained the peaks they achieved early in the pandemic, telehealth-related claims are still over 3,300% higher than in 2019, according to FAIR Health.
Numerous other trends preceded these events, such as the shift from paper to electronic health records and the replacement of on-premise equipment with cloud-based servers and systems. More recently, the Centers for Medicare and Medicaid Services’ Merit-based Incentive Payment System (MIPS) and Alternative Payment Models (APMs) further demonstrated the need for healthcare-specialized IT partners as value-based care programs take hold.
These performance payment programs require extensive data capture, reporting and compliance with security standards. Yet ensuring an organization is effectively using its technology to help maximize the possible incentive payments is a time-consuming process.
This typically means they need healthcare IT experts knowledgeable not only about MIPS and APMs, but also healthcare workflows to help streamline the collection and reporting processes.
Arguably the most significant changes in healthcare and IT will be driven by the rapid adoption of AI tools and generative AI capabilities across every dimension of healthcare, including revenue cycle, diagnostic and imaging, drug discovery, and personalized medicine.
While the potential use cases are revolutionizing healthcare, the integration of AI in healthcare also raises concerns regarding data privacy, the ethical use of patient data, and the need for regulatory frameworks to ensure patient safety and confidentiality.
In short, IT has been the No. 1 driver of change in healthcare in the past 10 to 20 years.
Q. You also have observed more IT services companies devoting staff to serve as CIOs and CISOs. Do you think this is a serious trend? How does this change impact operations at a healthcare provider organization?
A. The "virtual" CIO and CISO roles are, and will continue, to proliferate across healthcare organizations of most sizes, even if an internal CIO is already working in that capacity. As the importance of digital transformation grows across healthcare, internal CIO and IT staff often take on more initiatives concerning systems optimization and IT migration.
The virtual CIO role can be a cost-effective way for health organizations to enable their existing CIOs to focus on essential duties, such as strategic planning, improving data-driven decision-making workflows and technology, the safe implementation of AI-powered solutions, and ensuring alignment with security, legal and financial goals of the organization.
The virtual CIO often, in turn, focuses on the day-to-day informatics and IT projects so they stay on time and on budget. This newer service that leading managed services organizations are offering is really a reflection of how the CIO and CTO roles have grown in healthcare. In addition, smaller and midsize organizations that never had a CIO before are finding that a virtual CIO is an ideal first step before hiring an internal leader.
The CISO position is an even newer leadership role, but certainly becoming more relevant and common as the threat of cyberattacks and data breaches only increases. CISOs – who could also work as virtual employees at the behest of an IT partner – are laser-focused on security and helping organizations create and stay adherent to protocols and training.
The greatest benefit to operations from having a virtual CIO manage projects or strategic planning for which the internal leader does not have time is typically increased productivity of staff involved in those projects. With a knowledgeable and experienced leader helming such initiatives and managing other daily duties, there also tends to be higher success rates associated with the work because the specialized virtual CIO has a deeper understanding of how strategy, goals and results differ in healthcare compared with other industries.
Whether a virtual CIO or virtual CISO, an organization is bound to come away with a greater awareness and appreciation of the importance of data and systems protection and security, and how important it is for the institution to prevent malicious and accidental breach incidents that often have massive clinical and financial repercussions.
Q. Ultimately, what is the result of the various changes in IT services companies working with healthcare provider organizations? What are the outcomes?
A. With IT concerns dominating so much time and attention inside hospitals and health systems, there is a risk that it could detract from the quality of care and experience providers deliver to patients. By turning to experienced and qualified healthcare technology experts who can protect their organizations from such internal and external technology-related risks, provider organizations can devote more of their internal IT resources to other performance improvement initiatives.
Eliminating unnecessary IT distractions enables healthcare organizations to experience improved clinical and financial results in whatever areas they want to improve.
Another important potential result of partnering with specialized IT professionals is protection from malicious or accidental data breaches. Although it is difficult to quantify the savings resulting from a cyberattack that does not occur, the Ponemon Institute recently reported survey results that showed the financial toll associated with an incident reached an average total of $5 million in 2022, up 13% from the previous year, including $1.3 million due to disruption of healthcare operations.
In this challenging economic climate, no health system can afford to lose $5 million or more, especially when simple and highly preventable human error is typically the cause.
Similarly, the peace of mind among providers and administrative staff knowing that a qualified and experienced IT team is protecting their healthcare organizations from cyberattacks and IT disruptions overall cannot be calculated.
Many corporations and companies of all sizes recognized decades ago that partnering with outside IT experts just made business sense because it enabled their leaders and employees to focus valuable resources on achieving internal goals and serving customers. Healthcare, it seems, is finally gravitating toward that model, as well.
Follow Bill's HIT coverage on LinkedIn: Bill Siwicki
Email him: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.