by Brian Eastwood

Top Challenges Facing Healthcare CIOs

Aug 21, 20128 mins
Cloud ComputingData BreachEnterprise Storage

Few industries face as many IT challenges as healthcare, where government mandates, security requirements and a need to replace outdated technology make a CIO's job difficult.

Each vertical market presents its own challenges to CIOs, but few offer as many obstacles as the healthcare industry. They must balance stringent security and privacy regulations with a pressing need to improve IT infrastructure and a mandate to implement electronic health record (EHR) software—all amid the political firestorm of healthcare reform, increasing pressure to cut costs, general reluctance among health care professionals to trust technology and a shortage of IT talent in the industry. The 12 issues presented here all come with their own challenges and stakeholders, while the consequences for failing to address them vary tremendously.

Meaningful Use

Meaningful use is the granddaddy of all healthcare IT challenges. Passed in the 2009 economic stimulus package’s HITECH Act, the program requires all providers to demonstrate the meaningful use of EHR by 2014 or face reduced Medicare reimbursements. (For Medicaid participants, the deadline for avoiding penalties is 2016.) Providers do receive financial incentives for using EHRs before those deadlines. Meaningful use is to be achieved in stages, with stage 1 underway and stage 2 beginning in 2014. Critics say the program is too costly and too ambitious. Given that large hospitals can spend several years and many millions on EHR and electronic prescription implementation, they may be right.

News: EHRs Adopted by More Than 100K Healthcare Providers

Health Information Exchange

The HITECH Act also funded the creation of state HIEs. These groups have the enviable task of helping healthcare organizations share data contained in largely proprietary EHR systems, of which there are literally thousands, though the Nationwide Health Information Network Exchange initiative to develop standards and policies for data exchange may help (provided varying laws about patient records crossing state lines can be reconciled). In addition, there are close to 300 HIE organizations (most of which predate the HITECH Act) that represent their own geographic areas, set their own policies and have matured more that the state groups. CIOs looking to get started with HIE will likely more questions than answers and find it a highly political process.

Healthcare Reform

Two parts of the controversial reform bill upheld by the U.S. Supreme Court concern technology. One is the mandate for each state to set up a health insurance exchange by 2014 so consumers can buy insurance on the open market. Even Massachusetts, the state at the forefront of healthcare reform, is struggling to implement the necessary combination of technology that includes content management, ecommerce, CRM and portals. The second is the accountable care organization, a voluntary partnership among providers who aim to give patients more coordinated, and less expensive, healthcare. Accomplishing this requires significant investment in EHR and HIE, as well as robust clinical data analytics and frequent patient engagement (both of which will be covered later).

HIPAA Compliance

The HITECH Act beefed up HIPAA, which predated the rise of information technology. It essentially turns business associates into covered entities, meaning they must take steps to secure personal health information, and it dramatically increases the fines for a data breach involving PHI. Tellingly, it notes that a loss of encrypted PHI does not constitute a data breach, implying that organizations should invest in encryption technology. The bigger issue, judging from the list of data breaches since new HIPAA rules went into effect, remains lost or stolen hardware—primarily laptops and mobile devices—containing PHI that’s all too easy to obtain. On top of that, healthcare reform sets a 2014 deadline for electronic fund transfer compliance.

Mobile Health and BYOD

Medical professionals love smartphones and tablets such as the iPad, which fits nicely in a doctor’s white coat pocket, and the ubiquitous example of a doctor remotely accessing patient records from a child’s soccer game points to the tremendous potential of mobile health, especially in the developing world. CIOs remain way. In addition to the usual security requirements of a successful BYOD policy, healthcare CIOs must contend with HIPAA privacy and security rules, which penalize providers even if users’ personal devices go missing. This means taking an especially close look at which users can access which applications—or even particular data sets within applications—and, if field medics and trauma nurses share touchscreen monitors, robust, role-based identity and access management.

Wireless Networking

Giving healthcare workers access to mission- and life-critical applications and medical devices requires a strong, secure wireless network. In facilities filled with banks of elevators, radiology departments, stacks of bathrooms and box upon box of paper records—all of which interrupt wireless signals—building a strong hospital network can be a challenge. Linking an entire medical campus, especially one filled with buildings that predate the ENIAC, let alone the Internet, can be nearly impossible. Possible Food and Drug Administration regulation of hospital wireless networks doesn’t help. The solution is often a combination of a wireless WAN and a plethora of access points, neither of which come cheap. Perhaps coincidentally, new hospital construction, when it happens, seems to focus more on wired networks.


The challenge of wireless networking in hospitals—not to mention bringing broadband to rural America—is one technological factor hindering the spread of telemedicine, which connects specialists (often in urban or university facilities) to patients in areas underserved by doctors. Another is equipping exam rooms with teleconference equipment, which can be expensive and hard to use. Then there’s the thorny issue of telemedicine reimbursement; there’s no national rule, and individual state policies vary, especially when it comes to providing services that cross state lines, so some doctors hesitate to participate in a program for which they won’t get paid. Payers, including Medicare, have also been slow to catch on. Perhaps that’s why robots are providing telemedicine services in some hospitals.

Patient Engagement

Perhaps the only thing harder than convincing healthcare professionals to use technology is convincing patients. Few use personal health record services, for example. PHRs offer electronic access to key information such as medical history, lab results and drug allergies, but many won’t let patients edit info, are limited to certain providers or are just plain hard to use. The medical home model combines telemedicine and mobile health and offers promise for improving patient engagement and cutting care costs. So do emerging smartphone applications and gadgets that help patients track exercise and vital signs alike. Meanwhile, advocates including Regina Holliday and Dave de Bronkart remain outspoken in Washington about giving patients access to their data.

Clinical Data Analytics

Big data has big potential in healthcare. On a system-wide level, executives can see what medical conditions are most prevalent among patients and devote resources to treating or even preventing them. They can also determine if certain procedures lead to return hospital visits and share best practices for rehabilitation and recovery. On an individual level, abundant wireless mobile health devices and applications gives clinicians a chance to monitor and study patients’ vital signs remotely, so, say a sudden spike in blood glucose is addressed without a expensive ER trip. The challenge, of course, is first implementing analytics systems and then bringing information together in a clinical data warehouse that’s accessible yet secure. Often only the largest healthcare systems can afford this.

Storage Infrastructure

Hundred-year-old hospital buildings frustrate storage administrators as much as they do network admins. The typical healthcare data center is bursting at the seams, inconveniently located and a low priority for executives focused instead on expanding clinical space. The electronic documentation needed to meet the HITECH Act’s meaningful use requirements, not to mention state and federal data retention laws that may require healthcare organizations to keep patient records on file for as long as 25 years, will only make things worse. To combat this, organizations can deploy virtualized storage on a storage area network while rolling out thin provisioning, tiered storage and data replication technology on top of it. However, not all medical software vendors, and not all legacy applications, support SAN technology.

The Cloud

In theory, the cloud’s a great place for healthcare organizations to store appointment summaries, medical images and other patient records, as well as a viable data backup option for disaster recovery planning. There’s no need for additional infrastructure or personnel and, since data is essentially being archived, immediate access to data isn’t necessary. In practice, questions about data ownership, HIPAA compliance, public cloud security “always-on” availability make many healthcare providers wary of cloud services—even though, as noted, hospital IT security itself tends to be weak. That said, some smaller healthcare providers are giving inexpensive, easy-to-use cloud-based EHR systems a shot, while a minority of larger providers are building private clouds as extensions of virtual server implementations.

While most of the world has been using the diagnostic code set known as ICD-10 for at least a decade, the U.S. still uses ICD-9, which was finalized in 1979 and is therefore quite dated. A federal mandate to move to ICD-10 by Oct. 1, 2014 is said to improve diagnoses recorded in EHRs and streamline onerous billing processes. However, organizations such as the American Medical Association oppose it, saying ICD-10 implementation places an unfair burden on physicians, nurses and coders. It’s also a costly, time-consuming process that can’t really be automated. Oh, and the World Health Organization expects to finish ICD-11 by 2015, so another upgrade is on the horizon.