To say that security has gained traction as a priority is quite an understatement. In fact, Ken Lawonn gets more questions about security from his CEO and board than any other topic. And so it should come as no surprise that Sharp has changed its entire approach, creating an IT risk management department and recruiting its first CISO. In this interview, Lawonn talks about the rapid evolution of Sharp’s security strategy, how the organization looks to leverage its managed care expertise to thrive in the population health world, and his thoughts on integration — including what his team is currently doing to provide a unified view of data, and how this plan may change in the future. He also discusses what it was like to go from being the acquiring party at Alegent Health to being acquired, why he made the move to San Diego, and what it’s been like to fill Bill Spooner’s shoes.
- Health plan & the “interesting dynamic” with payers
- Creating an IT risk management department
- Educational awareness — “Healthcare workers tend to be trusting.”
- Rise of the CISO
- Posturing for pop health — “It’s not scalable with the existing technology.”
- Mobility steering committee
- Allscripts’ FollowMyHealth portal
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
As we are looking at moving into more of a population health strategy and taking more risks, we really understand that much better because we’ve been doing it both from the managed care perspective, and also from the health plan perspective.
We have to continue to mature. We’re going to have to invest more money in this. We not only have to continue to look at our perimeter and trying to keep people out, but we also have to move it to how quickly can you detect a breach and then how do you respond, because everybody’s vulnerable.
It’s probably the area that we spend the most time on and wish we didn’t have to, but you’ve got to protect the organization, and the patients and the people that work here. All their information is in our hands.
You have to have someone who has that background and expertise that can work with the senior executives and the board and have conversations about the risks, about what’s going on in the industry, what you’re doing, what you’re plan is. The CIOs have been asked to present that and I think a lot of us do it, but I really believe we need an executive in that area that can help us develop a plan and communicate it to the organization.
If we want to manage more chronic patients or try to stay connected with the healthy patients, we really need to leverage technology. So we’re in the process right now of evaluating a population health platform that would provide us with analytics, care coordination, and patient engagement.
Gamble: The fact that Sharp has a health plan, how does that play into this? Does it complicate matters or in some ways does it ease the situation?
Lawonn: I think it’s both a challenge and a benefit. I think the challenge is just that we have to support a rapidly growing health plan, and traditionally we’ve tried to do it on existing systems, so we’ve been leveraging our managed care product that we have from GE to support the health plan. But as that plan gets more complicated and grows, we have to look at other tools, and right now we’re in the process of implementing a new system to support for the health plan. So that creates additional pressure and challenges in the IT arena in the organization to be able to support that system, but it really is a benefit and it helps us understand how health plans are viewing information.
We support the health plan from a lot of its analytics and its quality reporting so we get a better insight into the way in which the payers are analyzing the data. It also helps us to be able to offer the Sharp program a network through the health plan. So we want to make sure that if people contract through Sharp Health Plan they’re able to be guaranteed they can see Sharp providers. I think it helps us because as we are looking at and talking about moving into more of a population health strategy and taking more risks, we really understand that much better because we’ve been doing it both from the managed care perspective, and also from the health plan perspective. So we really have that kind of expertise we can leverage within the organization.
Gamble: In the respect, I think it would put you in a better position as the industry moves further down that path.
Lawonn: It does create some interesting dynamics with the payers of course because as I said Sharp Health Plan has 110,000 lives and that’s a significant amount, but we still have a lot of other contracts with other payers, and when the health plan competes with other payers, it does create some interesting dynamics.
Gamble: When we talk about data and what needs to be done with it, this lends itself to the security strategy and what you’re doing there. We’re seeing all the news headlines about breaches. Can you talk a little bit about your security strategy?
Lawonn: It certainly has evolved — rapidly. If we think back where we were even three years ago, we were providing a pretty basic security infrastructure to try and protect and prevent people from penetrating and getting access. And now it’s got heightened awareness at the board level and at the senior executive level. We’ve really migrated from what I’d call an IT security approach to an IT risk management approach, helping the organization understand what are the essential data and what are the risks as far breaches or access so we can help prioritize where we have to invest, because there are just so many areas of opportunity. We have created an IT risk management department. We decided just recently to hire a vice president of IT risk management and chief information security officer and elevate that to a VP role, so we’re right now in the process of recruiting that.
We’ve had some outside assistance from a couple of organizations who come in and assess where we are and help us develop a framework for where we need to go using some of the industry’s measurements like NIST or ISO, so we could get a better sense of where we are from a risk perspective, where are those areas that we have the biggest vulnerability to cause the greatest harm, and look to prioritize there.
The other thing is trying to build educational awareness. We’ve partnered with our compliance department and chief privacy officer to look at trying to educate the entire organization about some of the risks with things like phishing attacks. One of the problems is healthcare workers I think by their nature tend to be trusting, and so it’s trying to educate them that these bad guys really are trying to take advantage of your willingness to click on something or to provide some information. And so what we see is we have to continue to mature. We’re going to have to invest more money in this. We not only have to continue to look at our perimeter and trying to keep people out, but we also have to move it to how quickly can you detect a breach and then how do you respond, because everybody’s vulnerable, and the likelihood of being breached is very, very high.
The biggest issue that you see in a lot of these incidents is that the occurrence has been going on for maybe nine months before people find out, and then that’s allowed to mature and get access to more information. So we’re investing heavily. We’re starting to look at whether we can leverage some outside services from some organizations that are doing things to monitor and detect things that may have more intelligence than we do, and leverage some of their services and some other tools.
But the thing is, it’s got to be more than just the security. It’s got to also be a risk program that’s built into your overall organizational strategy to understand where your potential vulnerabilities are, what the implications are, and what you would do in the case of a breach — how you would respond. It’s looking at doing some desktop exercises that just go through and plan, similar to what you would do if you had a disaster or downtime. It’s probably the area that we spend the most time on and wish we didn’t have to, but you’ve got to protect the organization, and the patients and the people that work here. All their information is in our hands.
Gamble: It’s interesting, when you talked about forming a risk management department, that really speaks to how much of a priority that this has become.
Lawonn: Yes. I get more questions about this from my CEO and board than anything else.
Gamble: Just because of that heightened awareness you were talking about all over the place now?
Lawonn: Yes, heightened awareness.
Gamble: It’s definitely scary, and I can see why education has to be something that’s so important for everyone right now.
Lawonn: Security’s not a department of IT or the IT risk management department’s responsibility. It’s the responsibility of every employee in the organization.
Gamble: That’s an interesting shift that’s happened where that’s no longer something that has to be sold to the board, but maybe something that the board is coming out and asking about.
Lawonn: They want to know how many times people have tried to breach you. It’s an interesting discussion. It’s also a reason why we’ve had to elevate the role, because you have to have someone who has that background and expertise that can work with the senior executives and the board and have conversations about the risks, about what’s going on in the industry, what you’re doing, what you’re plan is. The CIOs have been asked to present that and I think a lot of us do it, but I really believe we need a partner, an executive in that area that can help us really develop a plan, develop a strategy, and help communicate it to the organization.
Gamble: Right. So obviously, there’s a lot there that we’ve already touched on. Anything else really pressing that’s on your plate now?
Lawonn: There are a couple of areas that we’re spending an awful lot of time on right now. One is what we call population health. As I said, we’ve been in the managed care business for years, and we have somewhere close now to 350,000 lives for which we take fully delegated risks. This is a big part of what we do, and most of the management of it is done through our medical groups and we have put positions in place like population health managers. We’ve got some tools in place. We use our date warehouse. We use the HIE, dbMotion. We have some care management tools that we put in place plus the EHRS, but what we’re finding is it’s just not scalable with the existing technology. It’s so people-dependent, and if we want to manage more and more chronic patients or try to stay connected with the healthy patients, we really need to leverage technology. So we’re in the process right now of evaluating a population health platform that would provide us with analytics, care coordination, and patient engagement and help connect us with individuals on an ongoing basis. So that’s a big initiative that we have going on.
The other is a whole area of mobility. It’s one thing to say that we want to continue to provide mobile access or mobility solutions to all the applications we have, but the bigger question that we’re asking ourselves is, what’s our strategy from a mobility perspective? Do we want to have just a handful of applications that’s from AllScripts, from Cerner, and from Synapse, our PACS vendor, or do we want to have a strategy around how do we deliver information to devices in a mobile environment? And do we expect that it will only be a bring your own device strategy, or will we incorporate providing devices ourselves because we see more and more of the workflow especially from the nurses moving into mobile devices, and then how do we do that to engage the patients and the consumers from a mobility perspective? Are there ways to extend our services to provide access?
We’ve got an executive stirring committee that’s helping us look at all the things that are going on, all the potential things we could be doing, and coming up with the overall mobile strategy that’s really around how do we become much more consumer friendly and associate or employee friendly. Because they’re used to using these kind of devices and everything else they do, so how do we provide that kind of capability within the health system?
Gamble: In terms of your patient mix, is there a pretty big variety as far as what you’re seeing in terms of the engagement and using these devices?
Lawonn: It’s interesting. One of the things we did here at Sharp a number of years ago is we built our own portal. We had an application called MySharp and we added a mobile component to that, and recently we converted off of our own platform to an industry provider platform. We implemented FollowMyHealth from AllScripts, and when we did that we had like 110,000 active users of the portal, and more than half of the volume that we were seeing was coming from mobile devices. And so one of the things we’ve really been challenged with is trying to make sure we’re providing the comparable functionality from a mobile platform and continuing to expand, that so we find a lot of engagement here with people wanting to use mobile devices to access information, to schedule appointments, to pay their bills. We really do have a very sophisticated and engaged population from that perspective.
Gamble: Yeah, which of course factors into your strategy is when it comes to all these things with the portals and just doing what needs to be done to meet those numbers from Meaningful Use standpoint.
Lawonn: Right. You have that, and we’ve had to promote it, especially with extending it from the hospital, because the medical group was very active. But it hasn’t been a big challenge getting the number of people to do it; it’s being able to make sure you provide the right kinds of services that you need to.
I think one of the differentiations that I found here is that we are so heavily into what we still call the managed care world and we spend a lot of time looking at what’s the best way to partner. And we like to take risk; we understand that at times we accept maybe a smaller payment to manage risk, but we have gotten into an environment where we really like to manage and have more control over the patient referrals and where they go, and we think that we can provide a better overall level of care with patients. When I came from Nebraska, we were just starting to get into this ACO world and starting to understand that whole perspective, but it’s been pretty sophisticated here. The only thing I’d say is that we’ve had to supplement. There just haven’t been a lot of tools out there to really help you do that.
Gamble: That’s something I’m sure we’ll start to see change if more organizations are faced with the same issues.