S1E25: Privacy, Apps, ERP, Cloud (ft. JD Whitlock, Dayton Children’s)

Share:
JD Whitlock, CIO of Dayton Children’s Hospital, speaks about Privacy, Apps, ERP, Cloud.

Transcript:

0:0:0.0 –> 0:0:0.410
Jordan Cooper
Where?

0:0:-1.-740 –> 0:0:1.440
J.D. Whitlock
Silence might let me put myself on do not disturb on teams.

0:0:4.210 –> 0:0:5.490
J.D. Whitlock
There we go. OK.

0:0:6.690 –> 0:0:15.380
Jordan Cooper
We’re here today with JD Whitlock, the CIO of Dayton Children’s Hospital and owner of Wits End Consulting, JD. Thank you for joining us today.

0:0:15.910 –> 0:0:17.30
J.D. Whitlock
Morning, Jordan. Happy to be here.

0:0:17.760 –> 0:0:48.850
Jordan Cooper
For our listeners, Dayton Children’s hospitals, the $600 million pediatric integrated delivery network and pediatric acute care children’s teaching hospital located in Dayton, OH, the hospital has 181 pediatric beds. JD, I’d like to kick off our conversation by asking you about information blocking regulations. I know you’ve worked with these to some extent. You’ve written that it should be permissible for providers to put a few cautionary speedbumps in the path of patients handing over their entire medical record to app vendors.

0:0:49.30 –> 0:1:3.150
Jordan Cooper
Not all of whom will have their best interest at heart and quote. I’d like to ask you to elaborate upon what a patient friendly implementation of information blocking regulations would look like. What do you think about patient access to their own electronic health record?

0:1:3.820 –> 0:1:19.380
J.D. Whitlock
Yeah, sure thing. So this is a really tricky issue where where we we need to balance patients right to their own medical record. And really what we’re talking about here is patients right to get the data.

0:1:20.90 –> 0:1:27.70
J.D. Whitlock
In their record, easily and quickly into an app of their choosing because.

0:1:28.20 –> 0:1:45.990
J.D. Whitlock
Hippa gave us since 1996 they’ve had the right to the record in the sense that you can go to the hospital or doctor’s office and say give me everything in my record and you get a bunch of paper or a CD or a flash drive or something, right? And so really it’s changing the format of the data in the speed at which you get the data.

0:1:48.240 –> 0:1:58.880
J.D. Whitlock
What happened with all this regulatory language and and execution of this? Just if you’re just a couple years ago now, getting close to two years ago?

0:2:1.60 –> 0:2:2.50
J.D. Whitlock
Is that?

0:2:3.390 –> 0:2:6.60
J.D. Whitlock
Some folks in the provider community.

0:2:6.390 –> 0:2:29.420
J.D. Whitlock
And said we need to be a little bit careful here because we are we are all conditioned to add apps to our phone and accept very quickly accept all the little defaults that say yes, yes, yes, yes, yes, I accept all these things and what you’re doing is you’re in this scenario is you can be giving your complete medical record to a company that has built an app.

0:2:30.400 –> 0:2:33.510
J.D. Whitlock
That is actually not beholden to HIPAA.

0:2:34.270 –> 0:2:37.360
J.D. Whitlock
Because due to the way that HIPAA works.

0:2:38.160 –> 0:2:41.250
J.D. Whitlock
If that is self released by the patient.

0:2:42.940 –> 0:2:45.250
J.D. Whitlock
Whoever’s getting it does not have to.

0:2:45.990 –> 0:2:47.150
J.D. Whitlock
Do all HIPPA rules now.

0:2:47.910 –> 0:2:57.790
J.D. Whitlock
The government is reconsidering some of those rules, but they’re not changed yet. And so basically, some of us were of the opinion we don’t wanna limit.

0:2:58.430 –> 0:3:2.980
J.D. Whitlock
Patients access to their own record. We do think that we should caution.

0:3:3.940 –> 0:3:14.350
J.D. Whitlock
Uh patients what? They’re what they’re about to do. And So what? That looks like an epic world that I can speak to because we’re epic customers. I can’t speak to the details of how this works with other EH Rs.

0:3:45.740 –> 0:3:57.170
J.D. Whitlock
By releasing this now what’s interesting about this is that since these regulations changed about two years ago, we now this may be different and pediatric side than the adult side. And I know there’s more.

0:3:58.0 –> 0:4:0.620
J.D. Whitlock
There’s more venture capital going into more apps.

0:4:10.560 –> 0:4:10.950
Jordan Cooper
Umm.

0:4:1.930 –> 0:4:14.310
J.D. Whitlock
On the adult medicine side, but we have not seen a whole lot of people actually use that functionality. So there was a lot of attention paid to how the regs were changing.

0:4:15.600 –> 0:4:30.430
J.D. Whitlock
And then actually not not a whole, not a whole lot of activity there. So now that I’m talking about chapter one of the what changed in April of 2021, then there was what changed last fall.

0:4:30.830 –> 0:4:31.80
Jordan Cooper
Hmm.

0:4:31.280 –> 0:4:39.290
J.D. Whitlock
For the all EHR, which is a whole different, which is a whole different story which would take longer to explain. I know I don’t know if you want to get into that right now or not.

0:4:39.510 –> 0:4:41.790
Jordan Cooper
How often are HIPAA requests even made?

0:4:43.220 –> 0:4:50.60
J.D. Whitlock
Hippa requests are made all the time, but but a very often in the you know two are.

0:4:51.700 –> 0:4:54.10
J.D. Whitlock
Our AIM department is most.

0:5:1.220 –> 0:5:1.490
Jordan Cooper
Umm.

0:4:55.150 –> 0:5:4.330
J.D. Whitlock
All health systems have a have a Kim department with a release of information, process and then depending on the receiving.

0:5:4.990 –> 0:5:11.190
J.D. Whitlock
Yeah, if somebody is consult going to some other health system or seeing some other specialist, it completely depends.

0:5:22.720 –> 0:5:23.90
Jordan Cooper
So.

0:5:11.980 –> 0:5:26.550
J.D. Whitlock
On their capability, right, if that other specialist is on EPIC, then it’s pretty seamless just within Epic. You don’t necessarily have to go get all of that. If they’re not, you may still have to have to get all that on a like a flash drive or something.

0:5:31.520 –> 0:5:31.760
J.D. Whitlock
Umm.

0:5:29.610 –> 0:5:49.610
Jordan Cooper
Third party apps and people just downloading them and clicking through the terms and conditions. I like to ask you to speak to what should a CIO of a healthcare delivery system be thinking about when considering integrating third party apps into an epic Behr instance within the umbrella topic of digital health innovation.

0:5:50.600 –> 0:5:54.540
J.D. Whitlock
Here are so most of the time and the this is where the patient right comes in, right?

0:5:56.250 –> 0:6:4.210
J.D. Whitlock
If the patients right to download their data into an app of their choosing, whether or not the health system knows anything about that app.

0:6:7.910 –> 0:6:8.260
Jordan Cooper
Mm-hmm.

0:6:16.890 –> 0:6:23.520
J.D. Whitlock
With with the with a, a proxy rights into the patients medical record, which by the way.

0:6:24.390 –> 0:6:30.240
J.D. Whitlock
Even I’m a complicates the situation more because if.

0:6:31.790 –> 0:6:35.300
J.D. Whitlock
Forsake of argument. There was a another.

0:6:37.500 –> 0:7:5.880
J.D. Whitlock
I’m going to use the term Cambridge Analytica, that company that got in trouble a few years ago because they’re wildly inappropriate use of Facebook data, Cambridge analytical like vendor out there that was taking patients Phi and then maybe doing inappropriate things with it did not ultimately have the patients best interest at heart. Now there’s the added complexity of mom or dad made the choice to share Junior’s medical record.

0:7:6.820 –> 0:7:22.270
J.D. Whitlock
It in and you know, maybe two years later the that the patient is an adult and somebody else shared their medical record. Is that so? The parent has to accept that risk for their kids. So it’s very complex. And then you have different adolescent.

0:7:23.10 –> 0:7:27.560
J.D. Whitlock
Uh privacy rules in can be different in different states.

0:7:28.0 –> 0:7:28.350
Jordan Cooper
Hmm.

0:7:37.570 –> 0:7:37.840
Jordan Cooper
Hmm.

0:7:28.710 –> 0:7:45.410
J.D. Whitlock
So the the age of an adolescence right to kick mom and Dad out of their medical record can be different at different states. And so it’s very obviously just difficult for EHR vendors to handle all of that complexity. So it gets very complex very quickly.

0:7:45.950 –> 0:8:16.40
Jordan Cooper
So the quote that I read about that information blocking regulations cited a healthcare journalism well cited an article by Forbes. So I wanna ask about healthcare journalism in particular. I’d like to ask there are other CEOs of healthcare systems listening to this episode right now. What could they do to improve the way that their story is told, that their institution, if they speak to journalists and then make sure that their story is told accurately, is there anything that CIOs can do to?

0:8:16.130 –> 0:8:18.470
Jordan Cooper
Help improve the state of healthcare journalism.

0:8:19.860 –> 0:8:21.870
J.D. Whitlock
Umm, that’s it, that’s a good question.

0:8:24.50 –> 0:8:29.190
J.D. Whitlock
In relation to the to the Forbes article, the comments that I made were.

0:8:30.410 –> 0:8:32.580
J.D. Whitlock
It’s the point of that article was.

0:8:34.80 –> 0:8:46.850
J.D. Whitlock
Epic is about to be disrupted because of venture capital going into all this digital health, and my point was no, not really because you’re average up a customer.

0:9:12.370 –> 0:9:12.920
Jordan Cooper
Umm.

0:8:48.860 –> 0:9:16.60
J.D. Whitlock
Spends most of their time doing things that aren’t terribly easy to disrupt, like like surgery and emergency room and hospitals and a lot of times when you turn on the TV and see some new company that wants to treat some condition of yours with a video visit, and then we’ll send you a prescription. It’s mostly falls into primary care. And so that was that was me just pointing that out. Look, you’re always going to have.

0:9:16.310 –> 0:9:29.790
J.D. Whitlock
I’m a minority of journalists that are just going for the sensationalistic headline and not digging deep. And So what can we, as healthcare CIOs, do? Well, I guess we can.

0:9:30.460 –> 0:9:38.600
J.D. Whitlock
And call out some of the worst examples of that when we see and by the way, I’m not saying that that author that Forbes.

0:9:39.340 –> 0:9:41.690
J.D. Whitlock
Article was doing was in that category.

0:9:42.70 –> 0:9:42.390
Jordan Cooper
Umm.

0:9:42.930 –> 0:9:43.820
J.D. Whitlock
I just think they.

0:9:48.380 –> 0:9:48.760
Jordan Cooper
Yeah.

0:9:44.700 –> 0:9:48.970
J.D. Whitlock
Mr. Few subtleties there, and I pointed out a few of the subtleties. So.

0:9:49.420 –> 0:9:49.930
Jordan Cooper
So.

0:9:51.790 –> 0:10:22.230
Jordan Cooper
I’d like to pivot this conversation, move to a new topic that I think may be of interest to our listeners and hasn’t been broached on too many other podcasts and in the health IT space, and that would be selecting a healthcare enterprise, resource planning or ERP vendor. I know you work with work day and I know that most CEOs work with some ERP or other. I’d like to ask you to speak to our listeners about what went into that decision and how you leverage your ERP and what lessons you’ve learned through that process, those processes.

0:10:23.300 –> 0:10:38.910
J.D. Whitlock
Sure. So so choice of any RP and then implementation and execution of your P is maybe probably not quite as important as the same for EHR, but almost as important, right.

0:10:38.880 –> 0:10:39.190
Jordan Cooper
Umm.

0:10:49.400 –> 0:10:49.850
Jordan Cooper
Mm-hmm.

0:10:39.430 –> 0:10:53.20
J.D. Whitlock
Umm. So yeah, so we we’ve been on work day for a while, we actually one of the first handful of health systems that went on to their supply chain management module back in 2019.

0:10:53.620 –> 0:11:7.890
J.D. Whitlock
Umm, so we’re using work day for almost everything that you can use work day for. As I understand the market right now looking at some of the class research data and other sources, it’s sort of coming down to.

0:11:8.240 –> 0:11:11.360
J.D. Whitlock
And either work day or Oracle.

0:11:28.300 –> 0:11:28.840
Jordan Cooper
Umm.

0:11:13.320 –> 0:11:40.880
J.D. Whitlock
And of course, the advantage of on the on the Oracle side, if health system is a Cerner now Oracle health customer for their EHR, they could go with Oracle ERP and have the proverbial one throat to choke for their EHR and their ERP, right. And of course, there’s some integration points there too. So one interesting thing that I’ve noted talking to other CIOs is that.

0:11:41.590 –> 0:12:3.970
J.D. Whitlock
In some health systems, they’re stuck in neutral on ERP transition because they’re having difficulty convincing the leadership of all those different business units, HR finance, supply chain, that they even need a modern cloud based integrated ERP.

0:12:4.750 –> 0:12:8.870
J.D. Whitlock
Because it’s obviously a massive amount of massive change management.

0:12:10.110 –> 0:12:20.680
J.D. Whitlock
Big cost, new cost implementation costs certainly and some people are happy with their legacy solutions and sometimes the.

0:12:21.380 –> 0:12:37.440
J.D. Whitlock
Benefits are maybe longer term and a little bit harder to communicate, and so that’s an interesting dynamic that I’ve seen. And I’ve also seen a lot of health systems that are in the middle of that transition.

0:12:38.920 –> 0:12:46.610
J.D. Whitlock
And so so yeah, that’s that’s just the just something else that’s vitally important part of a health system CIO’s job these days.

0:12:47.100 –> 0:13:2.410
Jordan Cooper
To how would you advise S CIO listening as episode to speak to those individual business unit owners to make their case that it is important to go to a modern cloud based ERP despite the associated costs and change management issues?

0:13:20.100 –> 0:13:20.450
Jordan Cooper
Mm-hmm.

0:13:3.220 –> 0:13:29.100
J.D. Whitlock
Sure, this is uh, I think this is definitely a case of, you know, shining a light on some of the technical debt out there, which of course you gotta be careful with that term because the leaders not in it might not even really understand what we mean when we say technical debt. It’s all the work. That’s all the effort that the hamsters hamster wheel going on in the background to.

0:13:29.180 –> 0:13:37.940
J.D. Whitlock
To to, you know, move data between the systems to sort of fight with some of the legacy architectures to keep up.

0:13:38.940 –> 0:13:45.590
J.D. Whitlock
You know, up the upgrading. Often these are still on Prem systems.

0:13:46.860 –> 0:14:7.730
J.D. Whitlock
You know, at at Dayton Children’s, we’re a relatively small health system and I’ve noticed this the same thing for other small health systems where you can actually have your major facilities connected with dedicated fiber, not traversing the Internet. And that is we’re we’re keeping our EHR and other core clinical systems on on Prem.

0:14:8.360 –> 0:14:8.630
Jordan Cooper
Hmm.

0:14:8.720 –> 0:14:12.220
J.D. Whitlock
OK, now if you’re a 50 hospital system, by definition.

0:14:12.920 –> 0:14:27.270
J.D. Whitlock
It really doesn’t matter where EHR is hosted. It might as well be hosted in the cloud because you have to traverse the Internet to get to those fifty hospitals, right? Or maybe 49 hospitals. If your data centers. If you’re data centers and your largest flagship hospital, but.

0:14:27.400 –> 0:14:33.220
J.D. Whitlock
And but a lot of smaller health systems are are staying on Prem for the clinical.

0:14:33.920 –> 0:14:34.260
Jordan Cooper
Mm-hmm.

0:14:34.110 –> 0:14:36.90
J.D. Whitlock
However, I it’s.

0:14:37.310 –> 0:15:7.80
J.D. Whitlock
For your ERP, the benefits of going cloud are just it. It’s well, it’s the normal benefits of going of going cloud that you don’t have to worry about hosting that on Prem. One thing I’ll say complementary for work day is they do it’s one code base and every six months you get an upgrade and that upgrade is relatively seamless and there are always rolling out much of new features, the interfacing and the APIs.

0:15:7.160 –> 0:15:14.730
J.D. Whitlock
Are are done well. Those are the things you get out of a a modern built from the ground up software as a service ERP.

0:15:14.340 –> 0:15:16.930
Jordan Cooper
Sort of. What to what extent are the?

0:15:38.160 –> 0:15:38.450
J.D. Whitlock
Yeah.

0:15:42.440 –> 0:15:42.710
J.D. Whitlock
Yep.

0:15:47.600 –> 0:15:47.800
J.D. Whitlock
Yeah.

0:15:48.870 –> 0:15:49.140
J.D. Whitlock
Right.

0:15:18.70 –> 0:15:49.480
Jordan Cooper
I’d like to ask about an healthcare delivery systems motivations to move to the cloud. I’d like to ask you to balance to what extent the motivations are security, automatic upgrades, not worrying about that infrastructure purchasing, hardware replacing hardware versus liability. Hey, if something goes wrong, if there is ransomware or if there is some kind of hack or attack that the lawsuits and the legal onus is actually on a third party, whatever that cloud vendor is as opposed to us.

0:15:50.20 –> 0:15:59.630
J.D. Whitlock
Sure. Yeah. That’s a great question. So there’s a whole lot of to unpack there. So one thing I think we’re mostly past I think in the early days.

0:16:0.560 –> 0:16:5.210
J.D. Whitlock
Early days, I don’t know. Ten years ago, whatever. You know some of these.

0:16:15.460 –> 0:16:15.670
Jordan Cooper
And.

0:16:6.580 –> 0:16:22.490
J.D. Whitlock
They keep the cloud capabilities became available and we were sometimes we would say well, we can’t put our protected health information in the cloud, they cloud can’t handle it. We’re past that. Look, I mean the major cloud platforms, they’re hitrust certified and come out, let’s be honest.

0:16:22.610 –> 0:16:25.280
J.D. Whitlock
Did it based on our.

0:16:26.360 –> 0:16:46.510
J.D. Whitlock
You know, cybersecurity capabilities of your average health system that we’re getting ransomware, there’s somebody’s getting ransomware every day, right in the news. We’re not necessarily doing any better there. So that’s one thing now in terms of the liability you brought up, which is a very good point.

0:16:48.250 –> 0:16:50.250
J.D. Whitlock
You know that that it ultimately.

0:16:51.620 –> 0:17:0.290
J.D. Whitlock
Some of these bigger cloud vendors are also bigger targets, right? So on the one hand, you may not have the same sophistication.

0:17:15.980 –> 0:17:16.310
Jordan Cooper
Mm-hmm.

0:17:1.570 –> 0:17:33.340
J.D. Whitlock
Your cyber security defenses at a smaller health system, on the other hand, you’re you’re not as big a a big of a target. So interestingly, when you consider the solar ones hack a few years ago and for those that are not familiar with that, what happened was that that is some software that was used to help with it architectures for many, many, many, many companies. I think I’m may have beginning this number wrong, but the number I’m remembering is 18,000.

0:17:35.420 –> 0:18:2.270
J.D. Whitlock
Uh companies were used SolarWinds and were compromised by the fact that they they had. It was inside job basically and there was malware that was part of an update to the software. OK, so lots of people were compromised, basically anybody that uses software was compromised. Didn’t Jones was compromises that, I mean it’s not releasing any state secrets to say that however.

0:18:4.90 –> 0:18:8.90
J.D. Whitlock
The the bad guys only had enough time to exploit.

0:18:10.0 –> 0:18:10.200
Jordan Cooper
Umm.

0:18:8.940 –> 0:18:11.980
J.D. Whitlock
That in a in a smaller number of.

0:18:13.480 –> 0:18:19.270
J.D. Whitlock
It in and higher visibility, higher value targets. They typically went off after government agencies.

0:18:19.350 –> 0:18:47.700
J.D. Whitlock
If, if, and so basically the the the joke when we talked about this with our leadership in our in our board was well you know the bad news is we were one of 18,000 companies that were compromised. The good news is we weren’t important enough for them to exploit it right, which is a weird situation. You really don’t want to be in, right? That’s a weird thing to explain to your board. Right? And so you got to be careful about all of this.

0:18:47.800 –> 0:18:55.20
J.D. Whitlock
Yeah. I I I don’t know what I have a really good direct answer to your to your liability question.

0:18:55.470 –> 0:18:55.770
Jordan Cooper
Umm.

0:18:55.910 –> 0:19:0.110
J.D. Whitlock
And another complicating factor closely related to that is of course.

0:19:1.390 –> 0:19:3.260
J.D. Whitlock
Cyber security insurance.

0:19:4.380 –> 0:19:4.650
Jordan Cooper
Hmm.

0:19:4.80 –> 0:19:6.370
J.D. Whitlock
And how that’s changed so much and because of?

0:19:20.160 –> 0:19:20.470
Jordan Cooper
Mm-hmm.

0:19:20.990 –> 0:19:26.500
J.D. Whitlock
Some people are having to reconsider whether they even can get that insurance.

0:19:28.20 –> 0:19:42.130
J.D. Whitlock
And then you’re you have to ask yourself, is the dollars better spent on the insurance or the dollars better spent on that? Next thing we ought to do to implement, you know, zero trust architecture at our health system. So it gives.

0:19:42.230 –> 0:19:50.600
J.D. Whitlock
That gets very complex. There’s no easy answer. It’s absolutely what’s the what’s the best solution, given the particulars of your health system.

0:19:51.420 –> 0:20:9.360
Jordan Cooper
Well, Judy, we’ve covered a lot of ground today. We’ve talked about cybersecurity, ERP, EHR’s going into the cloud. We’ve spoken to some extent about integrating third party applications, security of releasing patient data, even journalism we touched upon. Do you have any last closing words for any of our listeners today?

0:20:10.940 –> 0:20:12.920
J.D. Whitlock
I can’t think of anything else. Thanks Jordan.

0:20:13.240 –> 0:20:22.270
Jordan Cooper
All right. Well, for our listeners, this has been JD Whitlock, the CIO of Dayton Children’s Hospital and owner of Wits End Consulting, JD. Thank you very much for joining us today.

0:20:22.660 –> 0:20:23.280
J.D. Whitlock
Thank you, Jordan.