By Mark Ferlatte is CTO of Truss.
There’s no shortage of news stories and think pieces outlining the ways regulations have hurt healthcare in the U.S., from spending to physician burnout. (Notably, there’s also no shortage of stories claiming the opposite.) Regardless of this debate around benefits vs. protections, there are a few non-negotiables–like doing everything possible to prevent a breach. Patients are entrusting organizations with their health data in way that they don’t understand and failure to protect their data can lead to clear and direct harm (via embarrassment, or identity theft–healthcare records are considerably more valuable than credit card numbers, or discriminatory practices from employers).
As a result, many engineering and IT departments in the healthcare industry accept a reduced level of function and service in order to avoid costly penalties. Unfortunately, this also harms their customers because of reductions in the effective level of care.
New, smaller and more agile healthcare companies are encountering these legacy environments. For example, they may only be able to get a “data dump” every week (or month) from partners, and many of the organizations they partner with are exporting data in formats that are expensive to work with, like retro formats from ’70’s and ’80’s mainframes.
This is a problem in an era where customer service has become the crux of any business. The healthcare providers that don’t change because of the regulatory risk will not be able to build a quality consumer product, even for internal platforms. And internal products have to be consumer grade, now, as well. We’ve talked with doctors who changed jobs because their hospital adopted a medical record system that was bad.
The truth is that newer technologies can allow healthcare systems to do both, but fear of transition and possible compliance violations are holding progress back. And that’s why, in 2018, we can get a probe to Pluto but we can’t send over health records within minutes of a patient’s request. To scale a new infrastructure and workflow for the largest healthcare systems is a huge project, so changes with clear benefits–like DevOps practices, iterable software development and a constant release schedule–are met with resistance. Here are three ways healthcare systems can start digging themselves out of this:
#1: De-silo. Most have heard this advice, but acting on it is different for every organization. At a high level, most healthcare IT departments have a compliance group, an infrastructure group, a security group and a product engineering group, all working independently of each other. The compliance group (usually lawyers and analysts who often lack technical expertise), need ongoing conversations with engineering and security so that the latter understands the compliance requirements. In return, those teams can help the compliance group understand trade-offs, what’s realistic, anticipated roadblocks, etc.
Security teams tend to develop their own compliance controls internally and often don’t tie back their controls to actual regulation and policy. The infrastructure engineering teams are concerned with implementing compliance and also care that the system is always available to customers. The product engineering team wants to build something of value that keeps customers safe and meets their needs. All of these different priorities require complex tradeoffs, making it unsurprising that systems don’t fulfill customer expectations. To de-silo here, compliance teams should act as consultants to product teams and help them understand the compliance requirements. Additionally, consider merging the defensive security and infrastructure teams into a single team with a safety and availability mandate; high-quality infrastructure and high quality security end up at the same place.