The life of a healthcare CIO is not an easy one. In addition to the myriad enterprise IT challenges faced by the typical CIO, technology professionals working in healthcare face HIPAA privacy and security laws, government mandates to implement or update Electronic Health Record (EHR) technology and, above all, a culture built on paper charts, paper prescriptions and folders upon folders of medical records.\n\n\nWhile some may call for a dramatic sea chance to bring healthcare IT into the 21st century, the reality is that the journey of 1,000 miles really does begin with a single step. Many organizations have begun that journey, though, and see the value in sharing what they've learned along the way.\n\n\nAt the recent Health IT Summit in Fort Lauderdale, Fla. hosted by the Institute for Health Technology Transformation, healthcare IT leaders shared the lessons they had learned from EHR and data analytics implementation, offered hints for embracing BYOD in an industry that demands security and looked to the future of EHR use, data exchange and genomics.\n\nKeep Your Eyes on the Prize\n\nThe beginning of 2014 means the beginning of stage 2 of the federal government's meaningful use incentive program. While stage 1\u2014which began in 2011 or 2012, depending on when organizations first completed meaningful use attestation\u2014focuses on capturing and sharing data, stage 2 emphasizes using that data to advance clinical processes, which is done through the use of e-prescriptions, lab results and Computerized Physician Order Entry (CPOE).\n\n\nStage 2 of meaningful use, then, is inherently more complex than stage 1. It doesn't help that "turnkey" stage 2 products from EHR vendors are few and far between, says John Showalter, chief medical information officer at the University of Mississippi Medical Center. Beginning next year, EHR systems that aren't optimized for stage 2 will be more cumbersome for healthcare providers and "more of a hindrance to care for patients," says John Santangelo, director of IT for the Cleveland Clinic.\n\n\nThat said, Santangelo advises healthcare organizations not to forget about stage 1, as those who attested in 2011 and 2012 also need to do so this year. It's OK to focus on stage 2\u2014and to keep an eye on stage 3, which begins in 2016\u2014but you can't get there without maintaining the progress you've made in stage 1, he says.\n\nUse Mandates to Enforce Change\n\nTechnology isn't the only challenge of meaningful use stage 2. The cultural change that comes with using technology to advance clinical processes hits some physicians hard. Two years after implementing CPOE, only 55 percent of physicians at New Jersey's CentraState Healthcare System were using it, says Neal Ganguly, vice president and CIO, admitting that there's no penalty in place for noncompliance.\n\n\nTo combat this, Showalter recommends "hardcore governance." Doctors cannot drop a bill until they've completed a problem list, which contains past diagnoses, test results and other medical history which is a meaningful use requirement. It's harsh, yes, but it's effective. In addition, Showalter's organization has prohibited phone dictation; this must now be done through the EHR system. This has saved $1.6 million a year\u2014no small amount for the University of Mississippi Medical Center, where the vast majority of patients are on Medicaid.\n\nDon't Be 'Dr. No'\n\nThat said, strict governance isn't the same as saying "No" to end users all the time. It's not uncommon, since the security officer at most organizations is "the most paranoid guy you know," says Kim Sassaman, CISO of Presbyterian Healthcare Services.\n\n\nInstead of always saying "No," Sassaman suggests turning that into, "Yes, if\u2026" and working with business groups to outline the conditions by which mobile devices, the cloud, social media and other services can, in fact, be used.\n\n\nHow-to: 7 Tips for Establishing a Successful BYOD Policy\n\n\nThis does two things, he says. One, it brings business leaders into the conversation and gives them more authority in crafting a BYOD policy, for example. Two, it helps make the security officer someone end users aren't afraid to talk to.\n\nEncourage Healthcare IT Innovation\n\nA great way to make "Yes, if\u2026" conversations happen is to encourage innovation. Contrary to popular belief, healthcare is ripe with innovation. Close to one-third of all mobile applications are health-related. But 80 percent of those apps are for consumers, focusing on exercise, wellness and disease management, and the remainder often do little more than port desktop interfaces onto mobile devices, says Naomi Fried, chief innovation officer at Boston Children's Hospital.\n\n\nPart of the problem stems from the innovation cycle, Fried says. After the first three stages\u2014initiate, ideate and pilot\u2014there's often a large gap before proceeding to the final three stages\u2014operationalize, optimize and obsolete\/repeat. Closing the gap means reengaging leadership, implementing change management and simply acknowledge that such a gap exists, she says. None are easy tasks.\n\n\nTo help the cause, Boston Children's Hospital created the FastTrack Innovation and Technology (FIT) Program, which focuses on the ideation and pilot steps. Users submit innovation ideas that they think will help meet the hospital's business needs. If the idea's accepted, that user works with two developers\u2014who work on the FIT Program full-time\u2014to make it happen. (Ideas have also led to decisions to purchase commercial applications, Fried notes.\n\n\nApps to come from the FIT Program include MyWay, which helps patients and their families navigate the 3-million-square-foot hospital and surrounding neighborhood, a digital emergency department whiteboard and an smartphone-based ED communication tool that, in its pilot, got results and other information to clinicians 28 percent faster than previous means.\n\nPoach EHR Trainers from Apple\n\nAdd innovative smartphone apps to CPOE, patient list and e-prescribing functionality in often-unfamiliar EHR systems and you may have a confused user base. If physicians and clinicians don't use the systems you've implemented, everyone loses: Patients don't receive the best care, billing departments don't get accurate information and IT budgets are slashed once the hospital board of directors sees expensive systems going unused.\n\n\nRelated: EHR Implementation Rising, But Hurdles for Healthcare Providers Remain\n\n\nBetter employee training can solve this problem. But it has to be done right. You can't make doctors sit through an eight-hour class, only to never "shadow" them to see how they actually use the system, Santangelo says. Nor can you inundate them with emails every time a minor system update is made, he adds.\n\n\nWhen Broward Health was introducing its EHR application, the health system underestimated how workflow changes would impact nurses and physicians, says Rhonda Lewis, an IT systems analyst with Broward Health. "You can't skimp on the time you have to assess workflow. It's so critically important," she says. Metrics for tracking the relative success of an EHR launch must also be determined well in advance.\n\n\nAt Broward, training was an ongoing process that kept users actively involved. It began about four weeks before go-live\u2014any earlier and users were liable to forget\u2014with role-based, "day-in-the-life" exercises, Lewis says. After launch, IT provided "at-the-elbow" support alongside EHR users. If necessary, you can turn to third-party sources for this support, she says.\n\n\nDon't be afraid to look externally for trainers, too. When it was time for Presbyterian to train EHR users, Sassaman went to an unlikely source: The Apple store. Why? Apple employees have plenty of experience working with people who make expensive purchases, have high demands and expect everything to just work, he says.\n\nMake Health Data Analytics Worth the Effort, Too\n\nWorkflow also matters for healthcare organizations considering data analytics initiatives. The possibilities for improving efficiency are care quality while reducing costs are almost endless here, but the first step\u2014delivering structured data that meets specific business needs\u2014is often the hardest.\n\n\nGanguly discovered this when CentraState Healthcare System embarked on its analytics effort. The scope of the project\u2014to integrate clinical and business intelligence data\u2014was far greater than anticipated, with end user needs unclear, benchmark data unavailable (unless CentraState wanted to purchase additional software) and necessary data not always being captured electronically.\n\n\nRelated: 6 Big Data Analytics Use Cases for Healthcare IT\n\n\nThe project's revised scope focused on functional tools for initiatives such as value-based purchasing, readmissions management and integrating financial applications with the system's quality improvement efforts, Ganguly says.\n\n\nKey lessons for data analytics initiatives, Ganguly adds, include collecting the right data at the front end, making managers accountable for the financial success (or failure) of their work and providing analytics for the entire continuum of care, which means not excluding ambulatory or post-acute care.\n\nBehold the (Potential) Power of Genomics\n\nAdvances in genomics research mean that there will soon be billions of data points per patient, says Brian D. Athey, professor and chair of the Department of Computational Medicine and Bioinformatics at the University of Michigan Medical School.\n\n\nFor example, information about gene variants that's added to clinical decision support systems can help prevent adverse drug reactions, Athey says. This matters, he adds, because each additional medication that a person takes increases the likelihood of an adverse reaction by 14 percent, and 60 percent of geriatric patients in the United States are taking at least nine medications per day.\n\n\nMore: How Genomic Research Could Improve Healthcare\n\n\nThis data doesn't necessarily need to make its way into an EHR system, but organizations should be thinking about how to put that data into physicians' hands. Many leading EHR vendors do support the applications that provide this data, but Athey describes them as "stovepipe" systems unable to share data.\n\nApproach Vendors With Pitchforks and Torches\n\nMany systems use disparate applications for reporting and data warehousing, not to mention EHRs, claims and billing apps, patient portals, imaging systems and health information exchange (more on that later). Most of these apps have to be customized out of the box, too, in order to meet the complex needs of a healthcare organization.\n\n\nThis makes healthcare IT interoperability a major challenge. Some might call it an insurmountable one: Some EHR vendors are charging providers $10,000 or more for an interface into an Health Information Exchange (HIE) entity, while others are claiming to be "interoperable" when the term only applies to their product offerings.\n\n\nThe best way to address the issue, says Derek Plansky, senior director of client solutions for HIE software vendor Sandlot Solutions, is to "lay it at the feet" of EHR vendors. Protest the fees, demand interoperability and do whatever else it takes to be heard. Larry Sitka, founder and lead software engineer for Acuo Technologies, which makes vendor-neutral archives for healthcare data, notes that one healthcare organization won't make much noise, but many orgs will.\n\nTake Sustainability Seriously\n\nInteroperability is one concern for HIE organizations (the public or private entities that enable information exchange among providers). For many entities, though, the biggest long-term challenge is sustainability. They provide a valuable service, Plansky says, and it's one that people are willing to pay for, but the seed money that HIE entities received under the 2009 stimulus bill won't last forever.\n\n\nScott Afzal, principal at Audacious Inquiry and program director at CRISP, the state of Maryland's HIE, says the entity has connected every hospital in the state, and processes 15,000 queries per month, but has struggled to convince ambulatory practices to come on board.\n\n\nAnalysis: Health Information Exchange Critical But Suffers From Complications\n\n\nRight now, fees charged to hospital cover one-third of CRISP's costs\u2014the fees don't match the value, he says, but "good will and enormous political pressure" fill the gap\u2014with payers and the state government supplying the rest. They are willing to pay, Afzal says, as payers get service notifications from healthcare providers and the state of Maryland gets data for population health mapping purposes.\n\n\nThe government seed money will work for general HIE infrastructure and other start-up costs. Beyond that, though, HIE entities need a plan. "If there's no business model, maybe we shouldn't do it at all," says Steve Sarros, vice president and CIO for Baptist Health Care.\n\nDon't Worry About the Boogeyman\n\nEnterprises in all industries fear external threats\u2014Chinese hackers, Nigerian spammers and the guy parked across the street in the windowless van\u2014but the real threats are largely internal. Human errors and system glitches caused 64 percent of data breaches in 2012, according to Symantec and the Ponemon Institute, while the majority of healthcare data breaches are the result of lost or stolen patient records.\n\n\nHow-to: 12 Tips to Prevent a Healthcare Data Breach\n\n\nYes, firewalls are important, Sassaman says, but they mask the larger issue. Healthcare organizations need to educate employees about the dangers of losing personal health information, implement clear governance policies and, above all, encrypt all their laptops. (IT too busy for that? Go to a nearby PC repair shop. That's what Sassaman did for Presbyterian.)\n\nAs You Lead, Wear Many Hats\n\nLeadership is crucial to the success of any healthcare IT endeavor. "Implementing something that fundamentally changes the way people do things is a test of leadership," says Alice Taylor, CEO of Broward Health Imperial Point. But different projects will need different leadership styles, she says.\n\n\nOn any matter than concerns patient safety, you need to be autocratic, Taylor says; there's no room for flexibility or negotiation. Other initiatives, though, require approaches that are collaborative, coaching, mentoring or engaging. The key is to lay the ground rules early in the project, she says.\n\n\nThat way, employees know whether to expect Dr. No or Dr. Livingstone.\n\n\nBrian Eastwood is a senior editor for CIO.com. You can reach him on Twitter @Brian_Eastwood or via email. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.