Like many organizations, Cincinnati Children’s Hospital’s current state for data, reporting, business intelligence and analytics is emergent rather than designed. Information Services (IS) manages the transactional systems producing data, but it never has had the infrastructure or the capacity to respond to all information needs across the enterprise. To meet demand, it began distributing data to individual departments, which then hired their own staff to work with them. As a consequence, the data now are everywhere, with limited global knowledge about how they are being used, generating anxiety about security.
But security is not the only problem with the current state. There is limited global knowledge about staff capabilities, and no common job descriptions or training or onboarding practices, so the organization doesn’t necessarily get the talent it needs from the dollars collectively spent on “analysts.” Isolated individuals and siloed analytic teams thrash away at identical problems independently, without coordination or agreement, so the organization under-utilizes its collective resources and produces conflicting versions of truth.
We are now working to create a mindfully designed future state. The technical foundation of the new system will include a platform that contains all source data, which the IS staff will assemble, cleanse, conform and transform, to make them analytically digestible. All institutionally sanctioned derived terms will reside on the platform, including performance measures and operationalized hierarchies. The thrashing that now happens independently will take place centrally, protecting analytic users from the mess and ensuring that they all will access single, sanctioned sources of truth — at least when they exist.
From that platform, we expect data architects and BI developers to create smaller sets of relational datamarts, designed to meet project- and department-based analytic needs. I had assumed those creating these smaller relational datamarts would be the department-based, data management staff working side-by-side with the analysts, who in turn are close to their customers. This is the arrangement I had created in the QI Analytics team, and it works very well. But at a recent meeting with my IS colleagues on the project, I was startled to hear them rather forcefully object. In their view, only centralized IS staff should have access to the platform, and only they should be authorized to create these downstream data sources to meet customers’ BI and analytic needs.
From the perspective of an analytic user working directly with departmental customers, such a policy projects an image of Alcatraz: The data are surrounded by sharks; the guards will let only a few people through and will seldom let anyone out. But I understood my colleagues’ point of view: Alcatraz is secure. By limiting access to authorized users within IS, the organization would get the security it needs.
Or will it? Our current state emerged precisely because limiting access to centralized staff in IS could not meet customers’ needs. Years ago, the organization had decided that access to Clarity, Epic’s analytic database, would be restricted to IS Clarity-certified staff, who were expected to satisfy the organization’s demands for “data from Epic.” They could not. The volume of requests for reports was too high, and many requests were not for reports, but for complex analysis. The report writers could not respond effectively to the deluge of requests, and so IS started distributing data directly to customers, who then hired their own staff. Hence our current state, with its worries about security.
Today the demand is for data from Clarity; tomorrow the demand will be for data in the platform that includes Clarity and everything else. Using history as a guide, the same “closed access” policy will likely yield the same result: Impatient customers either will find ways to evade access restrictions, or they will loudly complain, which amounts to the same thing, because the loud complaints will force IS to give them data they can use on their own. With a founding philosophy of “access will be limited to authorized users in IS,” we’ll recreate the same unacceptable situation that we have today, except we’ll have some fancy and expensive new technology.
Here is a potential alternative, the one I’m advocating now:
First, because we’ve built into the platform common solutions to common problems, it will be a very attractive asset for distributed staff. Because it will be an attractive asset, staff will want to become trained in its use, and the second piece of the solution is to make that training widely available, at different levels, thus removing barriers such as cost, endurance and prerequisites. We will link the training to the qualifications listed in the newly standardized job descriptions, and have exams that give staff the opportunity to demonstrate that they have the competency to work productively and safely with enterprise assets, appropriate to the level they seek. We’ll grant level-specific access rights upon completing training and passing the exam, and eventually sunset all current distributed data so that the central platform will be the only source.
Training will cover not just knowledge of navigating data, but working with them, handling meta-data, and making use of the enterprise solutions to common problems. The training also will cover standard practices that ensure security. It will make clear that responsibilities to maintain security reside with all data stewards, report writers, BI developers and analysts, inside IS and out, and that violation of secure practices and processes will lead to revocation of access privileges or even dismissal.
The third piece of the alternative solution is reinforcement with technology: The metadata management tools in the platform will capture lineage, with maps showing pathways from source data to how they are used throughout the organization. We’ll capture usage statistics and auditing, and create mechanisms that will help us detect security risks before they arise.
The vision is that the organization will support and encourage dispersed and creative uses of data, across the enterprise, maintaining order and security through a combination of training-based access rights at different levels, which users will desire, reinforced by the new technology.