No one can ever say that the leaders at Barnabas Health System didn’t do their due diligence in selecting a next-generation clinicals system. It took more than a decade for the system to decide on Cerner, but when you’re the largest integrated healthcare delivery system in New Jersey, making the right decision trumps making a quick decision. In this interview, interim CIO and CTO Tom Bartiromo talks about the organization’s aggressive schedule for rolling out clinicals, and how they are trying to balance “the power of the big and the agility of the small” and apply lessons learned from one go-live to the next. He also discusses the importance of having strong clinical partners, Barnabas’ long-term goal of enabling data analytics and BI, and going from CTO to CIO.
Chapter 2
- The importance of key clinical partners
- Marketing successes
- The quest to reduce interfaces (“Curbing 30 years of instinct”)
- Email management
- Reducing catastrophic risk
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
Podcast: Play in new window | Download (Duration: 21:27 — 19.6MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
We talk about things all the time and some hit, some resonate, and some just fly by. So it really is important that they can talk their own language. They’ll vent differently, and ultimately that leads to a better solution and better input into how we ultimately support, develop, and advance.
Typically, marketing and IT do not go hand in hand. We quietly deliver excellence. But in this particular case, it was about trying to showcase the things that have been going on in IT and putting it in terms that make sense.
We’ve gotten a much better handle on the amount of interfaces, and those continue to go down as we drive our integration strategy. Some things, I think, will remain interfaced for a long time to come, but we don’t want to give up the charge on appropriate integration where it makes sense.
The security portfolio tends to be the bastard stepchild in many cases. Unfortunately, when there is an incident, that’s what drives it to the front stage and gets people talking about it, and that’s not what you want to have happen.
Ultimately you bear the chief security officer role along with CIO in many cases. So you’re balancing speed and agility with appropriate balance of risk and security, and those two sometimes just don’t go together very well.
Guerra: How critical is it for success, whether in a hospital or a department to have a real clinician champion; to have that nurse or physician that is taking your calls and is excited and is partnering with you? You don’t have to get specific, but if you had to roll it out where you just didn’t have as strong a partner on the clinical side as you would have liked to have, I would imagine that’s not a great feeling for a CIO.
Bartiromo: No, not at all. I was very fortunate and I remain fortunate that our chief medical officer, Dr. Anthony Slonim remains vigilant and very engaged. He is an incredible supporter of information technology and has really done a fantastic job in driving the engagement with our physician group. Ultimately, it’s doctor on doctor. Even though we can be engaged, there’s no substitute for physician-on-physician dialogue, and Dr. Slonim’s done a fantastic job in leading that. It doesn’t mean everybody always likes what’s being said and the conversations are far from easy, but he remains front and center in those conversations, along with our chief nursing officer and our pharmacy leadership team. They’ve just been really outstanding in holding the line and staying engaged.
Guerra: I was just thinking of you or someone else from IT trying to highlight the benefits of the system. You’re picking out things that you think are cool and they’re saying, well who cares about that?
Bartiromo: That’s exactly right.
Guerra: If you have a physician like a CMO who gets into the system and says, ‘wow it can do that,’ he’s pulling out the right things that will get them excited.
Bartiromo: That’s exactly right. We talk about things all the time and some hit, some resonate, and some just fly by. So it really is important that they can talk their own language. They’ll vent differently, and ultimately that leads to a better solution and better input into how we ultimately support, develop, and advance.
Guerra: You sent me a bulletin you guys are putting out or a newsletter.
Bartiromo: Yeah, one of the challenges that I’ve been seeing is that while the information technology and services division is involved in a lot of things, I found when I came into the role that there was a lot of confusion around what exactly IT is doing.
Guerra: You’re like, ‘we’re doing lots of stuff, really.’
Bartiromo: Exactly, and try not to be offended by the statement, but look at the mirror and say, ‘well maybe I’m not doing such a great job in bringing simplicity to complexity about what we’re doing.’ Cerner was front and center, so that was pretty top of mind, but outside of that it was getting boiled into PCs and technical bits and bytes. So for the past six or seven months, along with doing the work, we’ve been working on putting together a first-edition IT performance report. In essence, it’s like a shareholder report trying to help bring simplicity to complexity. Typically, marketing and IT do not go hand in hand. We quietly deliver excellence. But in this particular case, it was about trying to showcase the things that have been going on in information technology and putting it in terms that make sense. Not just speeds and feeds and technical bits and bytes that lose everyone, but to do it in a way that keeps people engaged and lets them know what we’re doing and where we’re going, and build on it as an annual report.
Guerra: I agree with you. I think it was very well done. I think it was very digestible. I liked how you just called out some facts and figures here and there with a nice, light layout.
Bartiromo: Right, thank you.
Guerra: It was definitely well done and easily digested, and it’s certainly a best practice from the CIOs I interview. To market, you have to market internally what you’re doing. You can’t have any shyness or timidity about it. You have to get over that. If you’re a CIO with that problem, you better get over that because otherwise your reputation or your status in the organization is not going to be what it needs to be.
Bartiromo: Exactly. And there’s a good degree of humility that goes with that. Some of the internal critiques are ‘geez, that’s a lot of fanfare,’ and you’re opening yourself up to a lot of critique. But candidly, I’d rather engage in the critique than have people wonder what we’re doing.
Guerra: Right. It’s a great point. Some of the things that I took note of in the report — and we can discuss this — is you talk about the number of interfaces being over 1,300, and like every CIO, you want to see that number going down, I’m sure, which is part of the Cerner rollout. Cerner’s got it all; it’s one of the few companies that has it all integrated. So tell me your thoughts when you see that 1,300 number.
Bartiromo: It was actually an interesting exercise as we were gathering some of our data points, because a lot of those consolidated metrics led to a lot of additional conversations. But in that particular case, especially on the interface side, we recently consolidated the IT organization and centralized the IT organization. Even though our resources are distributed between and among the facilities, we’ve logically centralized a lot of our practice, one being the integration team and interface team. So we pulled those together from what used to be distributed at the sites, and ultimately we’ve gotten a much better handle on the amount of interfaces, and those continue to go down as we drive our integration strategy. Some things, I think, will remain interfaced for a long time to come, but we don’t want to give up the charge on appropriate integration where it makes sense — not removing them just because it lowers the number, but doing it in context.
Guerra: I would imagine there’s some serious project management and white- boarding that has to go on here. You don’t want to be investing a bunch of money into an interface redo. And this is where I get out of my depth, but you don’t want to be investing a lot of money in some sort of interface work where all of the sudden the Cerner product comes online and it’s ‘Oops, we don’t really need that interface anymore.’
Bartiromo: That’s exactly right. Our PMO practice is still emerging. On a maturity scale, it’s still fairly early in its maturity as well as the practice and culture that go with it. We have a strategy to rule out Cerner for key solutions, knowing that we have very capable people who could interface and can bolt on. We just choose not to do that from this point. That’s a curbing of 30 years of instinct to interface and bolt on and patch together and make things work that isn’t quick to break. It’s going to take some rigor and discipline in the coming years.
Guerra: Yeah because it used to be a point of pride; ‘we can make it work.’
Bartiromo: That’s right. Again, being good soldiers and good architects, they jumped in, threw themselves on many grenades over the years, and made it work. That really was a badge of honor.
Guerra: So now the response has to be, ‘we can, but we won’t.’
Bartiromo: That’s right. It’s maybe not a ‘no,’ but a ‘yes, if.’
Guerra: Right. Another sort of bulleted fact was the email messages sent to the healthcare system in 2011, of which 84 million were blocked as spam. I pulled that out because we did a webinar recently around email going into the cloud, not going into the cloud, and Google was brought up. We don’t think about this. We talk about Meaningful Use. We talk about CPOE, but email is surfacing as a very important discussion these days.
Bartiromo: Absolutely, it is truly a business critical system that’s in our top 10, along with our clinical systems. It’s been an interesting view over the past few years. On average, we had been seeing around a 90 to 92 percent block rate on all inbound mail, which is depressing at best. But I found we were not alone in that many industries were averaging around an 80 to 90 percent block rate. So when you start to run the economics and see that the cost of our messaging environment is X to support basically about a 10 percent inbound mail rate, it really does open the door for some other engineering points to say, we probably could do this better, and hopefully at a better economic scale as well, and I think that’s what’s going to give some rise to the cloud and hosted solutions.
Also I think what has a significant impact in that conversation is not just whether you’re maybe a Microsoft shop, but your licensing strategy as well. If you’re an enterprise agreement customer, then what you’re paying in your licensing fees really starts to come into play with the cloud-based solutions. If you’re not an EA customer, the economics may or may not hit the mark.
Guerra: It’s very interesting how this comes to the forefront.
Bartiromo: Yeah. It’s a big part of our overarching communication and enabling strategies.
Guerra: Part of the thought process is certainly if there are organizations out there that are doing it better than we are and cheaper, let’s look at it.
Bartiromo: Absolutely. It was much more of an emphasis of ‘Put my email in the cloud? No thanks. I don’t know enough about where that cloud is. Is it public or private?’ It really doesn’t cost me that much to host it, but candidly, in terms how it’s continuing to evolve, I think you’ve got a couple of major impact points: 1) the licensing agreement, and 2) your retention strategy — are you on an annual retention, a two‑year retention, or a permanent retention, which then drives your storage area network resource and cost structure.
So there are some decent tentacles that come out from the messaging environment. But cloud maturity I think has picked up quite a bit, and they’re really understanding security, especially when you look at the breach concerns and the HIPAA final rule that came out in mid-January. You get even more concerned about a potential breach — whether it’s hosted or not, you’re not too far distant from the liability.
Guerra: That was going to be my next point. You have a number of things in there about security. We hear CIOs saying that people outside of technology have no idea the kind of viruses and malware that’s attacking probably every organization and hospital systems too. I want you to talk about that with a certain idea in mind that I’ve been thinking about lately, which is as CIO or any sort of business owner or someone who’s in charge of the business, you really have to watch your catastrophic risk. What are the risks out there that I just cannot have happen? What are those scenarios that can’t have happen? And maybe you bring in the idea of Hurricane Sandy and disaster recovery. But certainly around the security issues, as a CIO, there are certain scenarios that cannot be allowed to unfold. Tell me a little bit about that.
Bartiromo: I think it’s a fair point. Again, this tends to be one of those things that’s quiet in the background until it’s quite frankly not so quiet in the background, and that’s usually a bad thing. So when we talk about some of those things that are just unacceptable, case in point, Microsoft. Coming up in the near-term, April of 2014, for certain versions of the Microsoft product, namely XP on the desktop, Exchange 2003 and Office 2003 will no longer be able to receive critical security patches. So for many institutions — us included — that opens up an unacceptable security exposure come April 2014 where you now have thousands and thousands of portals of entry that can no longer be patched by Microsoft’s critical security patches. So that’s going to cause not just a work effort and not just an expense, but a pretty significant action plan to remediate. That’s something that’s on our agenda right now.
That would definitely be one of those examples that’s just a flat-out unacceptable event. We’ve had conversations internally to try to get people to understand that better and say, ‘well, if it’s just a licensing thing, can’t we just license it differently?’ And it just doesn’t work that way. I wish it did.
Outside of that, our perimeter defenses are sort of one of those areas that are non-negotiable in how we’ve made investments over the years. And again, it takes time, because the security portfolio tends to be the bastard stepchild in many cases. Unfortunately, over the years, when there is an incident, that’s what drives it to the front stage and gets people talking about it, and that’s not what you want to have happen. But when it does happen, you really need to capitalize on the mitigation strategies having been burnt by something.
When you’re doing such a good job, it’s easier for people to be complacent and say, ‘what’s the problem? We really don’t need it to be this way. We’ve never been burnt.’ Well that’s the reason we’ve never been burnt is because it is this way. So our firewalls, our intrusion detection, our defense and depth strategy — we’re doing it with an incredibly lean amount of people. For this organization, we have a team of five and they’re covering a number of things, from our HIPAA security readiness through our perimeter and intrusion prevention at the desktop. So it’s really incredibly thin, but without it, I think you really open up an unnecessary risk. And when you’re reporting into the audit committee, it’s really not a comfortable thing to talk about. That’s not the conversation you want to have: ‘Let me talk about the last breach that happened.’
Guerra: Yeah, and I guess it’s a big part of the CIO’s job to determine what is necessary from a security point of view and a risk point of view, and to say, ‘hey, I can’t be CIO of this place unless we’re going to spend this money because it’s not responsible to do anything less. ‘
Bartiromo: No, and ultimately you bear the chief security officer role along with CIO in many cases. So you’re balancing speed and agility with appropriate balance of risk and security, and those two sometimes just don’t go together very well. Security reviews typically slow things down that may introduce some expense, and a lot of times the business units just see it as a perceived obstacle. So it’s important to have an executive management team understand that, listen it’s not always great, it’s not always preferred, but if we don’t do it, the downside risk could dwarf these types of things.
And again, I think with the final rule just coming out and as the organizations understand better about what that means to them, you’re going to see a lot more teeth coming into these breach incidents as well as business associates that at one point were kind of viewed a little bit more arms-length that we can indemnify differently or hold harmless, whereas back to the cloud-based services, their breach is my breach. It’s going to change people’s opinion I think about really getting under the covers with your hosting providers and making sure they’re really where they need to be.
Guerra: Any thoughts on disaster recovery? I know you’re pretty far inland, but did Sandy change anything over there?
Bartiromo: Yeah, it raised awareness. I think like many organizations, all of our hospitals were on generator at one point for varied 24 to 72 hours, and took minor damages along the way. But it definitely raised a heightened sense around business continuity and DR planning, and I think that’s a good thing. I think that’s a healthy exercise to engage in. It’s not a cheap exercise, and I think people know that, but we are still engaging in that exercise. The IT organization shares our business continuity leadership planning team, just to keep slow but steady movement about business continuity and DR from table top drills of key systems to what-if scenarios and downtime procedures. Again, it’s not an aggressive agenda, but it’s a slow moving and constant agenda.
Share Your Thoughts
You must be logged in to post a comment.