Audioboom

Transcript for S1E25: Privacy, Apps, ERP, Cloud (ft. JD Whitlock, Dayton Children’s)

00:00:00,000 → 00:00:00,410

<v Jordan Cooper>Where?</v>

00:00:01,740 → 00:00:01,440

<v J.D. Whitlock>Silence might let me put myself on do not disturb on teams.</v>

00:00:04,210 → 00:00:05,490

<v J.D. Whitlock>There we go. OK.</v>

00:00:06,690 → 00:00:15,380

<v Jordan Cooper>We're here today with JD Whitlock, the CIO of Dayton Children's Hospital and owner of Wits End Consulting, JD. Thank you for joining us today.</v>

00:00:15,910 → 00:00:17,030

<v J.D. Whitlock>Morning, Jordan. Happy to be here.</v>

00:00:17,760 → 00:00:48,850

<v Jordan Cooper>For our listeners, Dayton Children's hospitals, the $600 million pediatric integrated delivery network and pediatric acute care children's teaching hospital located in Dayton, OH, the hospital has 181 pediatric beds. JD, I'd like to kick off our conversation by asking you about information blocking regulations. I know you've worked with these to some extent. You've written that it should be permissible for providers to put a few cautionary speedbumps in the path of patients handing over their entire medical record to app vendors.</v>

00:00:49,030 → 00:01:03,150

<v Jordan Cooper>Not all of whom will have their best interest at heart and quote. I'd like to ask you to elaborate upon what a patient friendly implementation of information blocking regulations would look like. What do you think about patient access to their own electronic health record?</v>

00:01:03,820 → 00:01:19,380

<v J.D. Whitlock>Yeah, sure thing. So this is a really tricky issue where where we we need to balance patients right to their own medical record. And really what we're talking about here is patients right to get the data.</v>

00:01:20,090 → 00:01:27,070

<v J.D. Whitlock>In their record, easily and quickly into an app of their choosing because.</v>

00:01:28,020 → 00:01:45,990

<v J.D. Whitlock>Hippa gave us since 1996 they've had the right to the record in the sense that you can go to the hospital or doctor's office and say give me everything in my record and you get a bunch of paper or a CD or a flash drive or something, right? And so really it's changing the format of the data in the speed at which you get the data.</v>

00:01:48,240 → 00:01:58,880

<v J.D. Whitlock>What happened with all this regulatory language and and execution of this? Just if you're just a couple years ago now, getting close to two years ago?</v>

00:02:01,060 → 00:02:02,050

00:02:03,390 → 00:02:06,060

<v J.D. Whitlock>Some folks in the provider community.</v>

00:02:06,390 → 00:02:29,420

<v J.D. Whitlock>And said we need to be a little bit careful here because we are we are all conditioned to add apps to our phone and accept very quickly accept all the little defaults that say yes, yes, yes, yes, yes, I accept all these things and what you're doing is you're in this scenario is you can be giving your complete medical record to a company that has built an app.</v>

00:02:30,400 → 00:02:33,510

<v J.D. Whitlock>That is actually not beholden to HIPAA.</v>

00:02:34,270 → 00:02:37,360

<v J.D. Whitlock>Because due to the way that HIPAA works.</v>

00:02:38,160 → 00:02:41,250

<v J.D. Whitlock>If that is self released by the patient.</v>

00:02:42,940 → 00:02:45,250

<v J.D. Whitlock>Whoever's getting it does not have to.</v>

00:02:45,990 → 00:02:47,150

<v J.D. Whitlock>Do all HIPPA rules now.</v>

00:02:47,910 → 00:02:57,790

<v J.D. Whitlock>The government is reconsidering some of those rules, but they're not changed yet. And so basically, some of us were of the opinion we don't wanna limit.</v>

00:02:58,430 → 00:03:02,980

<v J.D. Whitlock>Patients access to their own record. We do think that we should caution.</v>

00:03:03,940 → 00:03:14,350

<v J.D. Whitlock>Uh patients what? They're what they're about to do. And So what? That looks like an epic world that I can speak to because we're epic customers. I can't speak to the details of how this works with other EH Rs.</v>

00:03:45,740 → 00:03:57,170

<v J.D. Whitlock>By releasing this now what's interesting about this is that since these regulations changed about two years ago, we now this may be different and pediatric side than the adult side. And I know there's more.</v>

00:03:58,000 → 00:04:00,620

<v J.D. Whitlock>There's more venture capital going into more apps.</v>

00:04:10,560 → 00:04:10,950

00:04:01,930 → 00:04:14,310

<v J.D. Whitlock>On the adult medicine side, but we have not seen a whole lot of people actually use that functionality. So there was a lot of attention paid to how the regs were changing.</v>

00:04:15,600 → 00:04:30,430

<v J.D. Whitlock>And then actually not not a whole, not a whole lot of activity there. So now that I'm talking about chapter one of the what changed in April of 2021, then there was what changed last fall.</v>

00:04:30,830 → 00:04:31,080

00:04:31,280 → 00:04:39,290

<v J.D. Whitlock>For the all EHR, which is a whole different, which is a whole different story which would take longer to explain. I know I don't know if you want to get into that right now or not.</v>

00:04:39,510 → 00:04:41,790

<v Jordan Cooper>How often are HIPAA requests even made?</v>

00:04:43,220 → 00:04:50,060

<v J.D. Whitlock>Hippa requests are made all the time, but but a very often in the you know two are.</v>

00:04:51,700 → 00:04:54,010

<v J.D. Whitlock>Our AIM department is most.</v>

00:05:01,220 → 00:05:01,490

00:04:55,150 → 00:05:04,330

<v J.D. Whitlock>All health systems have a have a Kim department with a release of information, process and then depending on the receiving.</v>

00:05:04,990 → 00:05:11,190

<v J.D. Whitlock>Yeah, if somebody is consult going to some other health system or seeing some other specialist, it completely depends.</v>

00:05:22,720 → 00:05:23,090

00:05:11,980 → 00:05:26,550

<v J.D. Whitlock>On their capability, right, if that other specialist is on EPIC, then it's pretty seamless just within Epic. You don't necessarily have to go get all of that. If they're not, you may still have to have to get all that on a like a flash drive or something.</v>

00:05:31,520 → 00:05:31,760

00:05:29,610 → 00:05:49,610

<v Jordan Cooper>Third party apps and people just downloading them and clicking through the terms and conditions. I like to ask you to speak to what should a CIO of a healthcare delivery system be thinking about when considering integrating third party apps into an epic Behr instance within the umbrella topic of digital health innovation.</v>

00:05:50,600 → 00:05:54,540

<v J.D. Whitlock>Here are so most of the time and the this is where the patient right comes in, right?</v>

00:05:56,250 → 00:06:04,210

<v J.D. Whitlock>If the patients right to download their data into an app of their choosing, whether or not the health system knows anything about that app.</v>

00:06:07,910 → 00:06:08,260

00:06:16,890 → 00:06:23,520

<v J.D. Whitlock>With with the with a, a proxy rights into the patients medical record, which by the way.</v>

00:06:24,390 → 00:06:30,240

<v J.D. Whitlock>Even I'm a complicates the situation more because if.</v>

00:06:31,790 → 00:06:35,300

<v J.D. Whitlock>Forsake of argument. There was a another.</v>

00:06:37,500 → 00:07:05,880

<v J.D. Whitlock>I'm going to use the term Cambridge Analytica, that company that got in trouble a few years ago because they're wildly inappropriate use of Facebook data, Cambridge analytical like vendor out there that was taking patients Phi and then maybe doing inappropriate things with it did not ultimately have the patients best interest at heart. Now there's the added complexity of mom or dad made the choice to share Junior's medical record.</v>

00:07:06,820 → 00:07:22,270

<v J.D. Whitlock>It in and you know, maybe two years later the that the patient is an adult and somebody else shared their medical record. Is that so? The parent has to accept that risk for their kids. So it's very complex. And then you have different adolescent.</v>

00:07:23,010 → 00:07:27,560

<v J.D. Whitlock>Uh privacy rules in can be different in different states.</v>

00:07:28,000 → 00:07:28,350

00:07:37,570 → 00:07:37,840

00:07:28,710 → 00:07:45,410

<v J.D. Whitlock>So the the age of an adolescence right to kick mom and Dad out of their medical record can be different at different states. And so it's very obviously just difficult for EHR vendors to handle all of that complexity. So it gets very complex very quickly.</v>

00:07:45,950 → 00:08:16,040

<v Jordan Cooper>So the quote that I read about that information blocking regulations cited a healthcare journalism well cited an article by Forbes. So I wanna ask about healthcare journalism in particular. I'd like to ask there are other CEOs of healthcare systems listening to this episode right now. What could they do to improve the way that their story is told, that their institution, if they speak to journalists and then make sure that their story is told accurately, is there anything that CIOs can do to?</v>

00:08:16,130 → 00:08:18,470

<v Jordan Cooper>Help improve the state of healthcare journalism.</v>

00:08:19,860 → 00:08:21,870

<v J.D. Whitlock>Umm, that's it, that's a good question.</v>

00:08:24,050 → 00:08:29,190

<v J.D. Whitlock>In relation to the to the Forbes article, the comments that I made were.</v>

00:08:30,410 → 00:08:32,580

<v J.D. Whitlock>It's the point of that article was.</v>

00:08:34,080 → 00:08:46,850

<v J.D. Whitlock>Epic is about to be disrupted because of venture capital going into all this digital health, and my point was no, not really because you're average up a customer.</v>

00:09:12,370 → 00:09:12,920

00:08:48,860 → 00:09:16,060

<v J.D. Whitlock>Spends most of their time doing things that aren't terribly easy to disrupt, like like surgery and emergency room and hospitals and a lot of times when you turn on the TV and see some new company that wants to treat some condition of yours with a video visit, and then we'll send you a prescription. It's mostly falls into primary care. And so that was that was me just pointing that out. Look, you're always going to have.</v>

00:09:16,310 → 00:09:29,790

<v J.D. Whitlock>I'm a minority of journalists that are just going for the sensationalistic headline and not digging deep. And So what can we, as healthcare CIOs, do? Well, I guess we can.</v>

00:09:30,460 → 00:09:38,600

<v J.D. Whitlock>And call out some of the worst examples of that when we see and by the way, I'm not saying that that author that Forbes.</v>

00:09:39,340 → 00:09:41,690

<v J.D. Whitlock>Article was doing was in that category.</v>

00:09:42,070 → 00:09:42,390

00:09:42,930 → 00:09:43,820

<v J.D. Whitlock>I just think they.</v>

00:09:48,380 → 00:09:48,760

00:09:44,700 → 00:09:48,970

<v J.D. Whitlock>Mr. Few subtleties there, and I pointed out a few of the subtleties. So.</v>

00:09:49,420 → 00:09:49,930

00:09:51,790 → 00:10:22,230

<v Jordan Cooper>I'd like to pivot this conversation, move to a new topic that I think may be of interest to our listeners and hasn't been broached on too many other podcasts and in the health IT space, and that would be selecting a healthcare enterprise, resource planning or ERP vendor. I know you work with work day and I know that most CEOs work with some ERP or other. I'd like to ask you to speak to our listeners about what went into that decision and how you leverage your ERP and what lessons you've learned through that process, those processes.</v>

00:10:23,300 → 00:10:38,910

<v J.D. Whitlock>Sure. So so choice of any RP and then implementation and execution of your P is maybe probably not quite as important as the same for EHR, but almost as important, right.</v>

00:10:38,880 → 00:10:39,190

00:10:49,400 → 00:10:49,850

00:10:39,430 → 00:10:53,020

<v J.D. Whitlock>Umm. So yeah, so we we've been on work day for a while, we actually one of the first handful of health systems that went on to their supply chain management module back in 2019.</v>

00:10:53,620 → 00:11:07,890

<v J.D. Whitlock>Umm, so we're using work day for almost everything that you can use work day for. As I understand the market right now looking at some of the class research data and other sources, it's sort of coming down to.</v>

00:11:08,240 → 00:11:11,360

<v J.D. Whitlock>And either work day or Oracle.</v>

00:11:28,300 → 00:11:28,840

00:11:13,320 → 00:11:40,880

<v J.D. Whitlock>And of course, the advantage of on the on the Oracle side, if health system is a Cerner now Oracle health customer for their EHR, they could go with Oracle ERP and have the proverbial one throat to choke for their EHR and their ERP, right. And of course, there's some integration points there too. So one interesting thing that I've noted talking to other CIOs is that.</v>

00:11:41,590 → 00:12:03,970

<v J.D. Whitlock>In some health systems, they're stuck in neutral on ERP transition because they're having difficulty convincing the leadership of all those different business units, HR finance, supply chain, that they even need a modern cloud based integrated ERP.</v>

00:12:04,750 → 00:12:08,870

<v J.D. Whitlock>Because it's obviously a massive amount of massive change management.</v>

00:12:10,110 → 00:12:20,680

<v J.D. Whitlock>Big cost, new cost implementation costs certainly and some people are happy with their legacy solutions and sometimes the.</v>

00:12:21,380 → 00:12:37,440

<v J.D. Whitlock>Benefits are maybe longer term and a little bit harder to communicate, and so that's an interesting dynamic that I've seen. And I've also seen a lot of health systems that are in the middle of that transition.</v>

00:12:38,920 → 00:12:46,610

<v J.D. Whitlock>And so so yeah, that's that's just the just something else that's vitally important part of a health system CIO's job these days.</v>

00:12:47,100 → 00:13:02,410

<v Jordan Cooper>To how would you advise S CIO listening as episode to speak to those individual business unit owners to make their case that it is important to go to a modern cloud based ERP despite the associated costs and change management issues?</v>

00:13:20,100 → 00:13:20,450

00:13:03,220 → 00:13:29,100

<v J.D. Whitlock>Sure, this is uh, I think this is definitely a case of, you know, shining a light on some of the technical debt out there, which of course you gotta be careful with that term because the leaders not in it might not even really understand what we mean when we say technical debt. It's all the work. That's all the effort that the hamsters hamster wheel going on in the background to.</v>

00:13:29,180 → 00:13:37,940

<v J.D. Whitlock>To to, you know, move data between the systems to sort of fight with some of the legacy architectures to keep up.</v>

00:13:38,940 → 00:13:45,590

<v J.D. Whitlock>You know, up the upgrading. Often these are still on Prem systems.</v>

00:13:46,860 → 00:14:07,730

<v J.D. Whitlock>You know, at at Dayton Children's, we're a relatively small health system and I've noticed this the same thing for other small health systems where you can actually have your major facilities connected with dedicated fiber, not traversing the Internet. And that is we're we're keeping our EHR and other core clinical systems on on Prem.</v>

00:14:08,360 → 00:14:08,630

00:14:08,720 → 00:14:12,220

<v J.D. Whitlock>OK, now if you're a 50 hospital system, by definition.</v>

00:14:12,920 → 00:14:27,270

<v J.D. Whitlock>It really doesn't matter where EHR is hosted. It might as well be hosted in the cloud because you have to traverse the Internet to get to those fifty hospitals, right? Or maybe 49 hospitals. If your data centers. If you're data centers and your largest flagship hospital, but.</v>

00:14:27,400 → 00:14:33,220

<v J.D. Whitlock>And but a lot of smaller health systems are are staying on Prem for the clinical.</v>

00:14:33,920 → 00:14:34,260

00:14:34,110 → 00:14:36,090

<v J.D. Whitlock>However, I it's.</v>

00:14:37,310 → 00:15:07,080

<v J.D. Whitlock>For your ERP, the benefits of going cloud are just it. It's well, it's the normal benefits of going of going cloud that you don't have to worry about hosting that on Prem. One thing I'll say complementary for work day is they do it's one code base and every six months you get an upgrade and that upgrade is relatively seamless and there are always rolling out much of new features, the interfacing and the APIs.</v>

00:15:07,160 → 00:15:14,730

<v J.D. Whitlock>Are are done well. Those are the things you get out of a a modern built from the ground up software as a service ERP.</v>

00:15:14,340 → 00:15:16,930

<v Jordan Cooper>Sort of. What to what extent are the?</v>

00:15:38,160 → 00:15:38,450

00:15:42,440 → 00:15:42,710

00:15:47,600 → 00:15:47,800

00:15:48,870 → 00:15:49,140

<v J.D. Whitlock>Right.</v>

00:15:18,070 → 00:15:49,480

<v Jordan Cooper>I'd like to ask about an healthcare delivery systems motivations to move to the cloud. I'd like to ask you to balance to what extent the motivations are security, automatic upgrades, not worrying about that infrastructure purchasing, hardware replacing hardware versus liability. Hey, if something goes wrong, if there is ransomware or if there is some kind of hack or attack that the lawsuits and the legal onus is actually on a third party, whatever that cloud vendor is as opposed to us.</v>

00:15:50,020 → 00:15:59,630

<v J.D. Whitlock>Sure. Yeah. That's a great question. So there's a whole lot of to unpack there. So one thing I think we're mostly past I think in the early days.</v>

00:16:00,560 → 00:16:05,210

<v J.D. Whitlock>Early days, I don't know. Ten years ago, whatever. You know some of these.</v>

00:16:15,460 → 00:16:15,670

00:16:06,580 → 00:16:22,490

<v J.D. Whitlock>They keep the cloud capabilities became available and we were sometimes we would say well, we can't put our protected health information in the cloud, they cloud can't handle it. We're past that. Look, I mean the major cloud platforms, they're hitrust certified and come out, let's be honest.</v>

00:16:22,610 → 00:16:25,280

<v J.D. Whitlock>Did it based on our.</v>

00:16:26,360 → 00:16:46,510

<v J.D. Whitlock>You know, cybersecurity capabilities of your average health system that we're getting ransomware, there's somebody's getting ransomware every day, right in the news. We're not necessarily doing any better there. So that's one thing now in terms of the liability you brought up, which is a very good point.</v>

00:16:48,250 → 00:16:50,250

<v J.D. Whitlock>You know that that it ultimately.</v>

00:16:51,620 → 00:17:00,290

<v J.D. Whitlock>Some of these bigger cloud vendors are also bigger targets, right? So on the one hand, you may not have the same sophistication.</v>

00:17:15,980 → 00:17:16,310

00:17:01,570 → 00:17:33,340

<v J.D. Whitlock>Your cyber security defenses at a smaller health system, on the other hand, you're you're not as big a a big of a target. So interestingly, when you consider the solar ones hack a few years ago and for those that are not familiar with that, what happened was that that is some software that was used to help with it architectures for many, many, many, many companies. I think I'm may have beginning this number wrong, but the number I'm remembering is 18,000.</v>

00:17:35,420 → 00:18:02,270

<v J.D. Whitlock>Uh companies were used SolarWinds and were compromised by the fact that they they had. It was inside job basically and there was malware that was part of an update to the software. OK, so lots of people were compromised, basically anybody that uses software was compromised. Didn't Jones was compromises that, I mean it's not releasing any state secrets to say that however.</v>

00:18:04,090 → 00:18:08,090

<v J.D. Whitlock>The the bad guys only had enough time to exploit.</v>

00:18:10,000 → 00:18:10,200

00:18:08,940 → 00:18:11,980

<v J.D. Whitlock>That in a in a smaller number of.</v>

00:18:13,480 → 00:18:19,270

<v J.D. Whitlock>It in and higher visibility, higher value targets. They typically went off after government agencies.</v>

00:18:19,350 → 00:18:47,700

<v J.D. Whitlock>If, if, and so basically the the the joke when we talked about this with our leadership in our in our board was well you know the bad news is we were one of 18,000 companies that were compromised. The good news is we weren't important enough for them to exploit it right, which is a weird situation. You really don't want to be in, right? That's a weird thing to explain to your board. Right? And so you got to be careful about all of this.</v>

00:18:47,800 → 00:18:55,020

<v J.D. Whitlock>Yeah. I I I don't know what I have a really good direct answer to your to your liability question.</v>

00:18:55,470 → 00:18:55,770

00:18:55,910 → 00:19:00,110

<v J.D. Whitlock>And another complicating factor closely related to that is of course.</v>

00:19:01,390 → 00:19:03,260

<v J.D. Whitlock>Cyber security insurance.</v>

00:19:04,380 → 00:19:04,650

00:19:04,080 → 00:19:06,370

<v J.D. Whitlock>And how that's changed so much and because of?</v>

00:19:20,160 → 00:19:20,470

00:19:20,990 → 00:19:26,500

<v J.D. Whitlock>Some people are having to reconsider whether they even can get that insurance.</v>

00:19:28,020 → 00:19:42,130

<v J.D. Whitlock>And then you're you have to ask yourself, is the dollars better spent on the insurance or the dollars better spent on that? Next thing we ought to do to implement, you know, zero trust architecture at our health system. So it gives.</v>

00:19:42,230 → 00:19:50,600

<v J.D. Whitlock>That gets very complex. There's no easy answer. It's absolutely what's the what's the best solution, given the particulars of your health system.</v>

00:19:51,420 → 00:20:09,360

<v Jordan Cooper>Well, Judy, we've covered a lot of ground today. We've talked about cybersecurity, ERP, EHR's going into the cloud. We've spoken to some extent about integrating third party applications, security of releasing patient data, even journalism we touched upon. Do you have any last closing words for any of our listeners today?</v>

00:20:10,940 → 00:20:12,920

<v J.D. Whitlock>I can't think of anything else. Thanks Jordan.</v>

00:20:13,240 → 00:20:22,270

<v Jordan Cooper>All right. Well, for our listeners, this has been JD Whitlock, the CIO of Dayton Children's Hospital and owner of Wits End Consulting, JD. Thank you very much for joining us today.</v>

00:20:22,660 → 00:20:23,280

<v J.D. Whitlock>Thank you, Jordan.</v>

Sorry, your browser isn't supported by Audioboom.

Page load failed