When Mark Lauteren started as CIO at University of South Alabama in the spring of 2013, he had two major goals: facilitate seamless integration of data throughout the system, and improve customer service within IT. Sounds simple, right? Luckily he had one major factor on his side — the organization’s willingness to change. In this interview, Lauteren talks about what it took to clean up a fragmented IS department, the gargantuan effort taking place to create ‘one patient, one record,’ why his team doesn’t ‘just say no,’ and the never-ending chess match CIOs must play to keep data secure. He also discusses what it was like to replace a long-time CIO, the mentors who taught him well, and why he takes time to give back.
Chapter 2
- Standardization across the system — “The folks wanted change.”
- Right people in the right seats
- Weekly strategy sessions — “How do we get to where we need to be?”
- ICD-10 — “We’ve done everything that needs to be done.”
- Attesting to MU 2 & planning for stage 3
- Data security — “It’s a never-ending chess match.”
- Dealing with research data
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
Podcast: Play in new window | Download (Duration: 12:27 — 11.4MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
There’s a lot of focus now of getting people up to speed on how to do the coding and the different programs that you have for ICD-10 versus ICD-9. We think we’re ready for it, but the proof will be in the pudding when in October we’re able to drop bills and our payers properly capture them.
We have to work with our vendors to make sure that they’re ready. For the most part, we’re at their mercy for functionality, then it’s a matter of how do we implement those functionalities that are needed.
It’s a never-ending war or chess match that goes on forever, because every time we tighten something up somewhere, someone else seems to find a way to get around it somewhere else.
We’re not going to call individuals out, but we are going to point out when things have happened and how they’ve happened so that hopefully others will learn. We’re not going to say, ‘Mark did this.’ We’re going to say “This was done in our organization. Here’s an example of something you shouldn’t be doing.’
Gamble: So it really seems there’s been a lot of a change in the culture of the organization since you arrived, and that you had a pretty big task as far as coming in and making some of these changes to IS. I imagine that must have been pretty daunting in the beginning.
Lauteren: I think it was and it wasn’t. I’ve had some great support, first, within the department. The folks, I think, wanted change. They felt that they needed to change internally. And then my peers, the other administrators within the health system, have all felt that they needed to make their own changes, so we’re all going through this metamorphosis, if you will, within the whole health system. Historically, the health system had been a very siloed organization. The Children’s Hospital didn’t work directly much with the medical center, which didn’t directly work much with the physician practices, which didn’t work with the Cancer Institute. So we’ve been working very hard since even before I got here to standardize and streamline those.
Actually, the first group across the health system that was actually standardized was the IS department, and so that’s sort of the cataclysm that’s happening, we’re getting these different things, and then you add into that the changes in healthcare that are driving change in general. In Alabama, Medicaid has implemented a program called Regional Care Organizations (RCOs) that are going to drive us to a capitated rate for all of the Medicaid patients in our region with a seven county region and that’s going to be very interesting and all of this is driving change. It’s not just us, but we felt that we needed a new information system to do that and we felt that we needed a change in the way we ran information systems, but it’s again not just information systems. It’s the whole organization that’s going through a similar change and so I was just one of many driving that.
Gamble: Okay, a lot of interesting things there.
Lauteren: A lot of change going on.
Gamble: Definitely. It seems like it keeps coming back to the whole focus of really having that health system mentality instead of the separate entities.
Lauteren: Yeah, and that has been big for us. My boss, Stan Hammack, who’s the head of the health system, has been driving that at least since I’ve been here, and since long before that I believe. He’s done some changes, brought in people like Owen Bailey who heads up the Children’s Hospital, who is great at bringing folks together, and escalating people like Beth Anderson who heads our medical center; Becky Tate, who heads up our ambulatory group; and obviously our finance folks, Tracy Jones, who heads up our finance area. And we sit down every Wednesday morning and we talk about what’s going on and how do we work better as a system. We don’t always get down to the individual issue. It’s more the strategic and the longer term and how do we get to where we need to be to support all of the things that are changing in healthcare.
Gamble: Right. You had mentioned to me offline that you do a lot of traveling around among the facilities. Is that pretty much how it’s been for a while?
Lauteren: Yeah. We have, as I mentioned, the two different hospitals, and the main headquarters for the ambulatory group are in a separate building. MCI is a separate freestanding cancer institute, and then there’s a back office building in Spring Hill Avenue Complex — we call it the SHAC. It’s an older, less than ideal building, but a lot of our back office folks, including IS and our accounting folks and even a couple of small clinics, are in this building. All told, we’ve got about 28 locations across several counties. I don’t obviously go to all of those, but I do go to the hospitals, the ambulatory, the MCI and then the SHAC, which is where my office is. I go between those fairly regularly to meet with the different folks in our organization and so does everyone else in IS. All of those primary buildings are probably no more than about 10 miles apart, but it does require that we drive back and forth.
Gamble: Having that presence seems like it’s important as far as actually having that face time and that open communication.
Lauteren: Email is good for quick communications and/or if you want to give a long, very straightforward write-up, but when you’ve got a tough decision, typically that’s better given face-to-face. Even over the phone can be okay, but typically that’s better given face-to-face. When it’s not an easy yes or no answer and there’s a lot of the gray area where it’s not ‘oh yeah, the answer is 12.’ Well, I wish it was 12.
Gamble: Right. Now putting aside that small project you have to go to Cerner, what are the other really pressing priorities for you guys right now?
Lauteren: There’s not much going on in healthcare. ICD-10 is nothing big, right? Meaningful Use, nothing big. We don’t have anything going on. We were actually over here playing checkers yesterday. I’m kidding of course. With ICD-10, we’re counting down the clock. Actually, we are going to put a countdown clock out in the hallway. From an IS standpoint, we’ve done we believe everything that needs to be done. There’s a lot of focus now within the organization — and it’s not being driven by us so much as the rest of the organization — of getting people up to speed on how to do the coding and the different programs that you have for ICD-10 versus ICD-9. We think we’re ready for it, but the proof will be in the pudding when in October we’re able to drop bills and our payers properly capture them. We’ll see.
And then obviously Meaningful Use is on everybody’s mind. We’re in a middle of stage 2, but we’re planning for stage 3 although it’s still a moving target. This is not finalized, and like everybody, we keep looking at it and wishing that certain parts would change and maybe other parts wouldn’t change, and hoping that the dice will roll our way on what we would like and what we don’t. And we have to work with our vendors to make sure that they’re ready for those. For the most part, we’re at their mercy for functionality, then it’s a matter of how do we implement those functionalities that are needed.
So we’ve got all of that, and then obviously we’re playing more and more like everyone else with mobile devices, and looking a lot at our information security footprint, and how do we keep ourselves more secure. It’s a never-ending war or chess match that goes on forever, because every time we tighten something up somewhere, someone else seems to find a way to get around it somewhere else. We have been very lucky we’ve had no major breaches. We hope to continue that, but I point out that probably the two most secure networks in this country are the DOD and the White House, and both of them have been hacked. So I’ve told my board and others that will listen, it’s not a matter of if, it’s a matter of when, and we have to be ready to minimize it and to make sure that we’re ready to respond.
Gamble: It seems like when these breaches happen, they come in bunches, and we just had one a couple of weeks ago. It’s got to be just very scary or alarming and make you just want to really tighten up as much as you can.
Lauteren: We can’t solve all the problems, some of it is software that’s outside of our control, and we’re having to try and fence it off when identified issues are identified with it. A lot of it now is social engineering. They’ve convinced somebody to click on a link in an email or to download or hit a website that did a drive-by on their computer and now they’ve loaded something on that. They spearfished or whatever to get onto that computer and now they’re using that computer to start weaseling their way in. So we have to work very hard.
We actually send regular emails out. We have a newsletter that has a security corner that we send out that keeps reminding folks to be aware. If that email you got isn’t the one you expected from your friend Bob, don’t open it. If they send you something you aren’t expecting, don’t open it. If you’re not sure, send it to us, we’ll check it. We’ll scan it. So we’ve implemented those types of things, but we’re only as secure as the other 3700 employees in the organization. Any one of them can open a hole and we just have to be ready to try and hopefully notice that the hole has been opened, and respond as quickly as possible.
Gamble: Have you had people bring forward an email and say they’re not sure? Is that something where you think people are willing to do that?
Lauteren: We get it regularly. That happens regularly. We have made it very clear. Like I said, we do a regular newsletter and that’s what we tell them. We tell them if they’re not sure, send it to us, send it to myself, send to our information security officer, send it to our support desk or helpdesk, and we will check it out for them. If you’re not sure, especially if it has an attachment — but as you know, attachments are not even necessarily the bigger risk. Nowadays it’s links and it’s drive-by’s if they’re going out to websites they shouldn’t be and not even realizing that they shouldn’t be because somebody has put up a bogus ad on a regular website. And so we’re trying to fight that and it’s challenging because as the university organization, we have a lot of researchers here and their job is to go out and find information. Their job is to be out there on the internet, but that also puts them at risk, which puts us at risk.
We try our best to educate, educate, and then reeducate. We use anonymous stories of what’s happening. We’re not going to call individuals out, but we are going to point out when things have happened and how they’ve happened so that hopefully others will learn. We’re not going to say, ‘Mark did this.’ We’re going to say “This was done in our organization. Here’s an example of something you shouldn’t be doing.’ And we’ve had a few people say, ‘Really? I shouldn’t do that?’ We’ve said that every month in the newsletter for the last year and a half.
Gamble: I guess that’s the best you can do, and luckily you’ve done okay so far, so that’s good to hear.
Lauteren: Either we haven’t been hacked badly yet or we just don’t know it. I think it’s hopefully the former and not the latter, but as I said, I try and warn people it’s not a matter of it, it’s a matter of when. If the most secure networks in the world can hacked, ours can be. It’s just so far the people that are really, really good haven’t deemed us to be a big enough target to go after us. The simple guy, the high schooler that’s sitting in his bedroom, he’s not going to get through our network. He’s not going to get in here. Those folks they’re not going to get through us or any other reasonably good healthcare organization. They’re running a pretty decent shop. They’re not going to get in. But when, and I’m just making it up, some third world country has an army of folks in a building somewhere and they decide they’re going to focus on you, you’re not going to stop them.
Share Your Thoughts
You must be logged in to post a comment.