John Kenagy, PhD, SVP/CIO & CISO, Legacy Health, Chapter 2

John Jay Kenagy, PhD, SVP/CIO & CISO, Legacy Health

With 20 years under his belt, John Jay Kenagy is no rookie to the CIO position — and yet, he’s continuously learning and evolving. In his current post at Legacy Health, he spends more time than ever before focusing on the best way to bring independent physicians into the fold, working to ease their skepticism while at the same time not “overselling.” In this interview, Kenagy talks about his team’s efforts to facilitate data flow throughout an ever-changing organization, the security “arms race” the entire industry is grappling with, and the “people first” philosophy he’s employing while leading through an acquisition. He also discusses what it has been like to work for four such different organizations, the need for “confident, yet humble” leadership, and what he believes is next for the CIO role.

Chapter 1

Chapter 2

The balancing act of selling a CIN
Bringing a new hospital into the fold
Cultural issues with M&A — “You don’t know how things will fit.”
Communication throughout the process
Leading through change: “The first priority is people.”
The “arms race” of protecting data
The CISO accountability

LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED

Podcast: Play in new window | Download (Duration: 14:13 — 13.0MB)

Bold Statements

Epic has made a lot of progress on ingesting CCDs from other EMRs as part of a convergence strategy, and the Connect program is pretty large nationwide — even worldwide, and so we’re able to use just basic vanilla technology from our vendor to facilitate that, but it’s still work.

While I carry the CISO accountability, I use that group that I am a member of — not the chair of — to help Legacy design a very practical, very working and very compliant information security and patient privacy paradigm.

Kate: It’s interesting when you talk about the people who have the conversations with the independent physicians, because you’re talking about the credibility issue too where it can’t just be IT.

John: I think it’s a polarity. It’s just something I think we will always have to balance, because as I said earlier, we’re rightfully proud of the accomplishments we’ve made with our EHR partner and very enthusiastic about it. That can come across maybe too boastful or dismissive of other EMRs, or come off like ‘you really need to do this program to be a full member of our clinically integrated network.’ Other clinically integrated networks have done that and have said ‘over three years, you need to transition to the common electronic health record we’re going to support.’ We’ve decided not to do that, I think because our clinically integrated network did not have any high percentage of physicians who had no electronic health record in their office — they were already well on the way of this journey. As I said, it’s this balance between our real enthusiasm and hype and overselling and overzealousness.

Kate: Right. You said that really the biggest hurdle has been those who were switching from another product.

John: Yes. Epic has made a lot of progress on ingesting CCDs from other EMRs as part of a convergence strategy, and the Connect program is pretty large nationwide — even worldwide, and so we’re able to use just basic vanilla technology from our vendor to facilitate that, but it’s still work. It’s still work on the practice, still work on the physicians, and obviously all of our team that has to make this all work flawlessly.

Kate: Right. You mentioned before about Silverton. This is a really recent development in terms of bringing in another medical center that wasn’t quite cut and dry where they happened to be on the same instance of Epic as you are.

John: Yes, definitely an M&A activity in healthcare.

Kate: Can you talk a little bit about that process of bringing a new hospital into the fold and really looking at it from the leadership perspective of how that needs to be approached?

John: Let me start philosophically or at the non-technical level. Let me start with the people and the culture. One of the things that I have been so excited about, and this prenuptial period has gone on for a little over a year, but every person that I meet at Silverton, whether it was the CIO, who also wore the hat of chief nursing officer and chief operating officer of the hospital — it’s a smaller hospital, about 800 employees in total, compared to 10,000 at Legacy — it just felt like we were separated at birth. The enthusiasm that they have about their community and about the patients and about the work that they do that benefits the Silverton community is the same passion I hear at Legacy every day. It sounds like I’m doing an ad campaign for Legacy, and I don’t mean to, but I love working here. The Silverton family had the same kind of drive and energy, and excitement, and enthusiasm, and passion I hear from leaders and staff, people who count their tenure at Silverton in decades as people do here and it’s been great.

In terms of merger and acquisition, that is a worrying time for the 18 people who work in IS and clinical informatics at Silverton, and I take that very seriously. I take that to heart as a key part of my role and accountability as the CIO to think about the people and their transition. We have more vacancies in our IS department than they have staff, and so it could be easy to get overly consumed by Big Brother. It would be very easy for them to feel condescended to as a rural hospital, and so we need to choose our words very appropriately — not to dance around anything, but respecting that they are a staff and a health system and a medical community in transition, and transitions are tough. You don’t know how things will fit, even though there is such an enthusiasm and such a cultural fit with our organization because there are going to be changes. Obviously, they’re going to de-install five EMRs that the staff know how to use and have been working with for over 15 years and we’re going to be putting in Epic.

So the first thing we did is we met just before D-day, day one of our go-live date, the closing date, we went down and met with all the staff. And this month, we’ll be shipping a number of people to Verona, Wisconsin to start their journey to become Epic-certified, and they’re very excited about that. I talked a lot to my staff to my staff and the new staff about the importance of them feeling welcome, and if at any part of this transition if they feel stressed, to let me know. If they’re worried about where their jobs are and if they decide that they’re interested in staying and they don’t want to go there for whatever reason, or they don’t want to start down an Epic certification journey or become a builder or commute to Portland — which is probably a three-hour round trip commute daily, and particularly with traffic is an awful direction that they’d be coming to try to work normal working hours here — if that isn’t in their current plans right now, that’s fine. There’s a lot of work; there’s a lot of things to be done. In the end, we have process and technology, but the first priority is the people, and that’s really, really important to me.

Kate: It is a complicated issue, obviously. That leadership really comes in to play throughout the whole process, I would think, from when you first started speaking with the people at Silverton, and even going forward.

John: Yes. We have an 11-month journey that has just started to get on to Epic. We want to do that right. There’s no immediate urgency, no contract with an old EMR that’s expiring. We want to do it right rather than do it fast, although we want to do it diligently. So we started that journey and the people are really enthusiastic, which is great.

Kate: So that’s another thing on your plate. I’m sure one of the other big issues as always is security and particularly for you. You hold the CISO title as well, right?

John: I do.

Kate: Okay. I wanted to get into how that works, especially with security being such a big priority, and how you’re able to navigate that.

John: It’s a great question. It’s another thing that we obviously pay a lot of attention to, certainly the breaches and the arms race that is protecting your proprietary information — the information about patients and employees that you steward in your systems. It’s just staggering the evil that is out in the world. Here we are trying to do great work at helping people’s lives, healing cancer, delivering babies — all the great work that is done in the healthcare system, and you have folks, domestic and foreign, who want to either get intellectual property or commercialize stolen information. It just makes me mad.

We put a fair amount of investment into information security protection that really does nothing to foster the mission of healthcare, other than the lack of it would be debilitating to our business. Obviously, the community trust, when you have a breach event, is broken. It’s just been interesting. I’ve heard a great phrase that basically says in healthcare, with the HIPAA laws, a victim of a breach becomes a villain because of the way it is the law is situated. With a breach over 300, we have to release a press statement that notifies the community that we had a breach of more than 300 patient records. You obviously are embarrassed; you get a little vilified for having this. I don’t know how my team of people can protect against a very concerted attack by a foreign state government or organized crime, both of which are overseas, that are persistently trying to attack. And of course there’s phishing — it’s not the nerdy teenage hacker anymore that’s trying to get in. It is a persistent phishing attack. It’s social engineering; stealthily getting in but then lying dormant as to not raise any issues, and then exfiltrating lots of information. It’s something we are constantly, constantly vigilant about.

You mentioned I have the title in name and responsibility as both chief information officer and chief information security officer. I’ve worked in organizations where the policy part of information security — not the engineering part, but the audit policy and the training regimen — is outside of IS and in a different division, usually compliance. And this assignment may be incumbent only but I’m very sensitive to the both the perception and the reality of conflict of interest. When I got here four years ago, we had a very longstanding HIPAA Steering Committee that started in late ‘90s and meets weekly and it has our assistant general counsel, our chief privacy officer, one of our directors in medical records, a number of IT people, and some of our clinical informatics folks — I’m on that. I’m sensitive and pretty obsessive, in fact, about decisions around our risk profile and information security paradigms and policies and practices that I don’t make that decision myself. So while I carry the CISO accountability — and a function needs to have one level of accountability, not a committee because the committee has no active accountability — I use that group that I am a member of, not the chair of, to help Legacy design a very practical, very working and very compliant information security and patient privacy paradigm. My staff know that full well. So as we make changes or we decide there’s a security barrier to doing business, let’s open it up.

Now as CISO, do I have ultimately the authority to do that alone? Probably, but it’s something that I don’t do for that very reason of I don’t know want to be perceived as having too much authority in myself alone. You know what I mean?

Kate: Right. It definitely makes sense, but at the same time you can see how intrinsically those two roles are related, especially now with everything that you’re dealing with and the education that needs to be ongoing.

Chapter 3

Related Posts:

Share Your Thoughts Cancel reply