Skip to Main Content

insightsarticles

COVID-
19: Key considerations for IT leaders in Higher Ed

05.12.20

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

  • Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
  • Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
  • People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

  • Support for a longer term WFH model and hybrid options
  • Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
  • Increased budgets for online services, licenses, and technologies
  • Need for remote helpdesk support, library services, and staffing
  • Increased training needs for collaborative and instructional software
  • Increased need for change management to help support and engage staff in the new ways of providing services and support
  • Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
  • Security and risk management implications with remote workers
    • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

Higher Education IT Leadership Phases

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Related Industries

Related Professionals

Editor’s note: If you are a higher education CFO, CIO, CTO or other C-suite leader, this blog is for you.

The Gramm-Leach-Bliley Act (GLBA) has been in the news recently as the Federal Trade Commission (FTC) has agreed to extend a deadline for public comment regarding proposed changes to the Safeguards Rule. Here’s what you need to know.

GLBA, also known as the Financial Modernization Act, is a 1999 federal law providing rules to financial institutions for protecting consumer information. Colleges and universities fall under this act because they conduct financial activities (e.g., administration of financial aid, loans, and other financial services).

Under the Safeguards Rule financial Institutions must develop, implement, and maintain a comprehensive information security program that consists of safeguards to handle customer information.

Proposed changes

The FTC is proposing five modifications to the Safeguards Rule. The new act will:

  • Provide more detailed guidance to impacted institutions regarding how to develop and implement specific aspects of an overall information security program.
  • Improve the accountability of an institution’s information security programs.
  • Exempt small business from certain requirements.
  • Expand the definition of “financial institutions” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.
  • Propose to include the definition of “financial institutions” and related examples in the rule itself rather than cross-reference them from a related FTC rule (Privacy of Consumer Financial Information Rule).

Potential impacts for your institution

The Federal Register, Volume 84, Number 65, published the notice of proposed changes that once approved by the FTC would add more prescriptive rules that could have significant impact on your institution. For example, these rules would require institutions to:

  1. Expand existing security programs with additional resources.
  2. Produce additional documentation.
  3. Create and implement additional policies and procedures.
  4. Offer various forms of training and education for security personnel.

The proposed rules could require institutions to increase their commitment in time and staffing, and may create hardships for institutions with limited or challenging resources.

Prepare now

While these changes are not final and the FTC is requesting public comment, here are some things you can do to prepare for these potential changes:

  • Evaluate whether your institution is compliant to the current Safeguards Rule.
  • Identify gaps between current status and proposed changes.
  • Perform a risk assessment.
  • Ensure there is an employee designated to lead the information security program.
  • Monitor the FTC site for final Safeguard Rules updates.

In the meantime, reach out to us if you would like to discuss the impact GLBA will have on your institution or if you would like assistance with any of the recommendations above. You can view a comprehensive list of potential changes here.

Source: Federal Trade Commission. Safeguards Rule. Federal Register, Vol. 84, No. 65. FTC.gov. April 4, 2019. https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/safeguards-rule

Article
Higher ed: GLBA is the new four-letter word, but it's not as bad as you think

In light of the recent cyberattacks in higher education across the US, more and more institutions are finding themselves no longer immune to these activities. Security by obscurity is no longer an effective approach—all  institutions are potential targets. Colleges and universities must take action to ensure processes and documentation are in place to prepare for and respond appropriately to a potential cybersecurity incident.

BerryDunn’s Rick Gamache recently published several blog articles on incident response that are relevant to the recent cyberattacks. Below I have provided several of his points tailored to higher education leaders to help them prepare for cybersecurity incidents at their institutions.

What are some examples of incidents that managers need to prepare for?

Examples range from external breaches and insider threats to instances of malfeasance or incompetence. Different types of incidents lead to the same types of results—yet you can’t have a broad view of incidents. Managers should work with their teams to create incident response plans that reflect the threats associated with higher education institutions. A handful of general incident response plans isn’t going to cut it.

Managers need to work with their teams to develop a specific incident response plan for each specific type of incident. Why? Well, think of it this way: Your response to a careless employee should be different from your response to a malicious employee, for a whole host of legal reasons. Incident response is not a cookie-cutter process. In fact, it is quite the opposite. This is one of the reasons I highly suggest security teams include staff members outside of IT. When you’re responding to incidents, you want people who can look at a problem or situation from an external perspective, not just a technical or operational perspective within IT. These team members can help answer questions such as, what does the world see when they look at our institution? What institutional information might be valuable to, or targeted by, malicious actors? You’ll get some valuable fresh perspectives.

How short or long should the typical incident response plan be?

I often see good incident response plans no more than three or four pages in length. However, it is important that incident response plans are task oriented, so that it is clear who does what next. And when people follow an incident response plan, they should physically or digitally check off each activity, then record each activity.

What system or software do you recommend for recording incidents and responses?

There are all types of help desk software you can use, including free and open source software. I recommend using help desk software with workflow capabilities, so your team can assign and track tasks.

Any other tips for developing incident response plans?

First, managers should work with, and solicit feedback from across the academic and administrative areas within the institution when developing incident response plans. If you create these documents in a vacuum, they will be useless.

Second, managers and their teams should take their time and develop the most “solid” incident response plans possible. Don’t rush the process. The effectiveness of your incident response plans will be critical in assessing your institution’s ability to survive a breach. Because of this, you should be measuring your response plans through periodic testing, like conducting tabletop exercises.

Third, keep your students and external stakeholders in mind when developing these plans. You want to make sure external communications are consistent, accurate, and within the legal requirements for your institution. The last thing you want is students and stakeholders receiving conflicting messages about the incident. 

Are there any decent incident response plans in the public domain that managers and their teams can adapt for their own purposes?

Yes. My default reference is the National Institute of Standards and Technology (NIST). NIST has many special publications that describe the incident response process, how to develop a solid plan, and how to test your plan.

Should institutions have dedicated incident response teams?

Definitely. Institutions should identify and staff teams using internal resources. Some institutions may want to consider hiring a reputable third party to act as an incident response team. The key with hiring a third party? Don’t wait until an incident occurs! If you wait, you’re going to panic, and make panic-based decisions. Be proactive and hire a third party on retainer.

That said, institutions should consider hiring a third party on an annual basis to review incident response plans and processes. Why? Because every institution can grow complacent, and complacency kills. A third party can help gauge the strengths and weaknesses of your internal incident response teams, and provide suggestions for general or specific training. A third party can also educate your institution about the latest and greatest cyber threats.

Should managers empower their teams to conduct internal “hackathons” in order to test incident response?

Sure! It’s good practice, and it can be a lot of fun for team members. There are a few caveats. First, don’t call it a hackathon. The word can elicit negative or concerned reactions. Call it “active testing” or “continuous improvement exercises.” These activities allow team members to think creatively, and are opportunities for them to boost their cybersecurity knowledge. Second, be prepared for pushback. Some managers worry if team members gain more cybersecurity skills, then they’ll eventually leave the institution for another, higher-paying job. I think you should be committed to the growth of your team members―it’ll only make your institution more secure.

What are some best practices managers should follow when reporting incidents to their leadership?

Keep the update quick, brief, and to the point. Leave all the technical jargon out, and keep everything in an institutional context. This way leadership can grasp the ramifications of the event and understand what matters. Be prepared to outline how you’re responding and what actions leadership can take to support the incident response team and protect the institution. In the last chapter, I mentioned what I call the General Colin Powell method of reporting, and I suggest using that method when informing leadership. Tell them what you know, what you don’t know, what you think, and what you recommend. Have answers, or at least a plan.

How much institution-wide communication should there be about incidents?

That’s a great question, but a tough one to answer. Transparency is good, but it can also unintentionally lead to further incidents. Do you really want to let your whole institution know about an exploitable weakness? Also, employees can spread information about incidents on social media, which can actually lead to the spread of misinformation. If you are in doubt about whether or not to inform the entire institution about an incident, refer to your Legal Department. In general, institution-wide communication should be direct: We’ve had an incident; these are the facts; this is what you are allowed to say on social media; and this is what you’re not allowed to say on social media.

Another great but tough question: When do you tell the public about an incident? For this type of communication, you’re going to need buy-in from various sources: senior leadership, Legal, HR, and your PR team or external PR partners. You have to make sure the public messaging is consistent. Otherwise, citizens and the media will try to poke holes in your official story. And that can lead to even more issues.

What are the key takeaways for higher education leaders?

Here are key takeaways to help higher education leaders prepare for and respond appropriately to cybersecurity incidents:

  1. Understand your institution’s current cybersecurity environment. 
    Questions to consider: Do you have Chief Information Security Officer (CISO) and/or a dedicated cybersecurity team at your institution? Have you conducted the appropriate audits and assessments to understand your institution’s vulnerabilities and risks?
  2. Ensure you are prepared for cybersecurity incidents. 
    Questions to consider: Do you have a cybersecurity plan with the appropriate response, communication, and recovery plans/processes? Are you practicing your plan by walking through tabletop exercises? Do you have incident response teams?

Higher education continues to face growing threats of cybersecurity attacks – and it’s no longer a matter of if, but when. Leaders can help mitigate the risk to their institutions by proactively planning with incident response plans, communication plans, and table-top exercises. If you need help creating an incident response plan or wish to speak to us regarding preparing for cybersecurity threats, please reach out to us.
 

Article
Cyberattacks in higher education—How prepared are you?

Focus on the people: How higher ed institutions can successfully make an ERP system change

The enterprise resource planning (ERP) system is the heart of an institution’s business, maintaining all aspects of day-to-day operations, from student registration to staff payroll. Many institutions have used the same ERP systems for decades and face challenges to meet the changing demands of staff and students. As new ERP vendors enter the marketplace with new features and functionality, institutions are considering a change. Some things to consider:

  1. Don’t just focus on the technology and make change management an afterthought. Transitioning to a new ERP system takes considerable effort, and has the potential to go horribly wrong if sponsorship, good planning, and communication channels are not in place. The new technology is the easy part of a transition—the primary challenge is often rooted in people’s natural resistance to change.  
  2. Overcoming resistance to change requires a thoughtful and intentional approach that focuses on change at the individual level. Understanding this helps leadership focus their attention and energy to best raise awareness and desire for the change.
  3. One effective tool that provides a good framework for successful change is the Prosci ADKAR® model. This framework has five distinct phases that align with ERP change:

These phases provide an approach for developing activities for change management, preparing leadership to lead and sponsor change and supporting employees through the implementation of the change.

The three essential steps to leveraging this framework:

  1. Perform a baseline assessment to establish an understanding of how ready the organization is for an ERP change
  2. Provide sponsorship, training, and communication to drive employee adoption
  3. Prepare and support activities to implement, celebrate, and sustain participation throughout the ERP transition

Following this approach with a change management framework such as the Prosci ADKAR® model can help an organization prepare, guide, and adopt ERP change more easily and successfully. 

If you’re considering a change, but need to prepare your institution for a healthy ERP transition using change management, chart yourself on this ADKAR framework—what is your organization’s change readiness? Do you have appropriate buy-in? What problems will you face?

You now know that this framework can help your changes stick, and have an idea of where you might face resistance. We’re certified Prosci ADKAR® practitioners and have experience guiding Higher Ed leaders like you through these steps. Get in touch—we’re happy to help and have the experience and training to back it up. Please contact the team with any questions you may have.

1Prosci ADKAR®from http://www.prosci.com

Article
Perspectives of an Ex-CIO

Cloud services are becoming more and more omnipresent, and rapidly changing how companies and organizations conduct their day-to-day business.

Many higher education institutions currently utilize cloud services for learning management systems (LMS) and student email systems. Yet there are some common misunderstandings and assumptions about cloud services, especially among higher education administrative leaders who may lack IT knowledge. The following information will provide these leaders with a better understanding of cloud services and how to develop a cloud services strategy.

What are cloud services?

Cloud services are internet-based technology services provided and/or hosted by offsite vendors. Cloud services can include a variety of applications, resources, and services, and are designed to be easily scalable, cost effective, and fully managed by the cloud services vendor.

What are the different types?

Cloud services are generally categorized by what they provide. Today, there are four primary types of cloud services:

Cloud Service Types 

Cloud services can be further categorized by how they are provided:

  1. Private cloud services are dedicated to only one client. Security and control is the biggest value for using a private cloud service.
  2. Public cloud services are shared across multiple clients. Cost effectiveness is the best value of public cloud services because resources are shared among a large number of clients.
  3. Hybrid cloud services are combinations of on-premise software and cloud services. The value of hybrid cloud services is the ability to adopt new cloud services (private or public) slowly while maintaining on-premise services that continue to provide value.

How do cloud services benefit higher education institutions?

Higher education administrative leaders should understand that cloud services provide multiple benefits.
Some examples:

Cloud-Services-for-Higher-Education


What possible problems do cloud services present to higher education institutions?

At the dawn of the cloud era, many of the problems were technical or operational in nature. As cloud services have become more sophisticated, the problems have become more security and business related. Today, higher education institutions have to tackle challenges such as cybersecurity/disaster recovery, data ownership, data governance, data compliance, and integration complexities.

While these problems and questions may be daunting, they can be overcome with strong leadership and best-practice policies, processes, and controls.

How can higher education administrative leaders develop a cloud services strategy?

You should work closely with IT leadership to complete this five-step planning checklist to develop a cloud services strategy: 

1. 

Identify new services to be added or consolidated; build a business case and identify the return on investment (ROI) for moving to the cloud, in order to answer:

• 

What cloud services does your institution already have?

• 

What cloud services does your institution already have?

• 

What services should you consider replacing with cloud services, and why?

• 

How are data decisions being made?

2. 

Identify design, technical, network, and security requirements (e.g., private or public; are there cloud services already in place that can be expanded upon, such as a private cloud service), in order to answer:

• 

Is your IT staff ready to migrate, manage, and support cloud services?

• 

Do your business processes align with using cloud services?

• 

Do cloud service-provided policies align with your institution’s security policies?

• 

Do you have the in-house expertise to integrate cloud services with existing on-premise services?

3. 

Decide where data will be stored; data governance (e.g., on-premise, off-premise data center, cloud), in order to answer:

• 

Who owns the data in the institution’s cloud, and where?

• 

Who is accountable for data decisions?

4. 

Integrate with current infrastructure; ensure cloud strategy easily allows scalability for expansion and additional services, in order to answer:

• 

What integration points will you have between on-premise and cloud applications or services, and can the institution easily implement, manage, and support them?

5. 

Identify business requirements — budget, timing, practices, policies, and controls required for cloud services and compliance, in order to answer:

• 

Will your business model need to change in order to support a different cost model for cloud services (i.e., less capital for equipment purchases every three to five years versus a steady monthly/yearly operating cost model for cloud services)?

• 

Does your institution understand the current state and federal compliance and privacy regulations as they relate to data?

• 

Do you have a contingency plan if its primary cloud services provider goes out of business?

• 

Do your contracts align with institutional, state, and federal guidelines?

Need assistance?

BerryDunn’s higher education team focuses on advising colleges and universities in improving services, reducing costs, and adding value. Our team is well qualified to assist in understanding the cloud “skyscape.” If your institution seeks to maximize the value of cloud services or develop a cloud services strategy, please contact me.

Article
Cloud services 101: An almanac for higher education leaders

Read this if you are a director or manager at a Health and Human Services agency in charge of modernizing your state's Health and Human Services systems. 

When states start to look at outdated Health and Human Services systems like Eligibility Systems or Medicaid Enterprise Systems, they spend a lot of time on strategic planning efforts and addressing technology deficiencies that set the direction for their agencies. While they pay a lot of attention to the technology aspects of the work, they often overlook others. Here are three to pay attention to: 

  1. Business process improvement
  2. Organization development
  3. Organizational change management

Including these important steps in strategic planning often improves the likelihood of an implementation of Health and Human Service systems that provide the fully intended value or benefit to the citizen they help serve. When planning major system improvements, agencies need to have the courage to ask other critical questions that, when answered, will help guarantee greater success upon implementation of modernized system.

Don’t forget, it’s not only about new technology—it’s about gaining efficiencies in your business processes, structuring your organization in a manner that supports business process improvements, and helping the people in your organization and external stakeholders accept change.  

Business process improvement 

When thinking about improving business processes, a major consideration is to identify what processes can be improved to save time and money, and deliver services to those in need faster. When organizations experience inefficiencies in their business processes, more often than not the underlying processes and systems are at fault, not the people. Determining which processes require improvement can be challenging. However, analyzing your business processes is a key factor in strategic planning, understanding the challenges in existing processes and their underlying causes, and developing solutions to eliminate or mitigate those causes are essential to business process improvement.

Once you pinpoint areas of process improvement, you can move forward with reviewing your organization, classifying needs for potential organization development, and begin developing requirements for the change your organization needs.

Organization development

An ideal organizational structure fully aligns with the mission, vision, values, goals, and strategy of an organization. One question to ask when considering the need for organization development is, “What does your organization need to look like to support your state’s to-be vision?” Answering this question can provide a roadmap that helps you achieve:

  1. Improved outcomes for vulnerable populations, such as those receiving Medicaid, TANF, SNAP, or other Health and Human Services benefits 
  2. Positive impacts on social determinants of health in the state
  3. Significant cost savings through a more leveraged workforce and consolidated offices with related fixed expenses—and turning focus to organizational change management

Organization development does not stop at reviewing an organization’s structure. It should include reviewing job design, cultural changes, training systems, team design, and human resource systems. Organizational change is inherent in organization development, which involves integration of a change management strategy. When working through organization development, consideration of the need for organizational change should be included in both resource development and as part of the cultural shift.

Organizational change management

Diverging from the norm can be an intimidating prospect for many people. Within your organization, you likely have diverse team members who have different perspectives about change. Some team members will be willing to accept change easily, some will see the positive outcomes from change, but have reservations about learning a new way of approaching their jobs, and there will be others who are completely resistant to change. 

Successful organizational change management happens by allowing team members to understand why the organization needs to change. Leaders can help staff gain this understanding by explaining the urgency for change that might include:

  • Aging technology: Outdated systems sometimes have difficulty transmitting data or completing simple automated tasks.
  • Outdated processes: “Because we’ve always done it this way” is a red flag, and a good reason to examine processes and possibly help alleviate stressors created by day-to-day tasks. It might also allow your organization to take care of some vital projects that had been neglected because before there wasn’t time to address them as a result of outdated processes taking longer than necessary.
  • Barriers to efficiency: Duplicative processes caused by lack of communication between departments within the organization, refusal to change, or lack of training can all lead to less efficiency.

To help remove stakeholder resistance to change and increase excitement (and adoption) around new initiatives, you must make constant communication and training an integral component of your strategic plan. 

Investing in business process improvement, organization development, and organizational change management will help your state obtain the intended value and benefits from technology investments and most importantly, better serve citizens in need. 

Does your organization have interest in learning more about how to help obtain the fully intended value and benefits from your technology investments? Contact our Health and Human Services consulting team to talk about how you can incorporate business process improvement, organization development, and organizational change management activities into your strategic planning efforts.

Article
People and processes: Planning health and human services IT systems modernization to improve outcomes

Read this if you are a member of a State Medicaid Agency’s leadership team.

Another National Association of Medicaid Directors (NAMD) fall conference is in the books. As usual, the sessions were excellent. And this year we had the luxury of being able to attend from the comfort of our homes. For BerryDunn’s consulting group, that enabled us to “send” a broader team to conference. On the flip side, it also meant we were not able to greet and meet our community in person. 

Matt Salo, the NAMD Executive Director, defined the underlying themes to the conference as Flexibility, Innovation, and Resilience. If one were to just look at the full agenda, it would be hard to tell that this was a virtual conference. The session schedule and opening reception looked very much like a traditional NAMD conference, although there were not the usual breaks with the ice cream jubilee and ballroom number assignments. Otherwise, it was business as usual. 

In checking in with State Medicaid Director attendees, Monday’s meetings went well and they appreciated coming together. State leadership across the country is working straight-out right now—seven days a week. It kind of reminds me of when I became a parent: I thought I knew how to handle sleep deprivation, and then I had a newborn, and realized the important work of parenting isn’t on a time clock, which is much like the work Medicaid agencies are dedicated to. The directors and their support staff’s commitment to serving members and tax payers in their respective states is inspiring, and we are privileged to work alongside them. 

I appreciated a subtle but deep reminder from Matt and the NAMD President Beth Kidder for us: remember our “true North.” Why are we here? What is our purpose as leaders and vendors in the Medicaid community? The work we do matters. We can improve lives. We can save lives. The members in Medicaid programs are the center of all we do. Here are some of the other highlights I absorbed during the conference. 

Plenary sessions

In Tuesday’s plenary, panelists shared their primary lessons and reflections on the year, including: 

  • Pace―we need a balance because the pandemic does not have a clear beginning or end. Pandemics do not simply blow over like a hurricane; it’s hard to tell the beginning, middle, and end. 
  • Steadiness in chaos: velocity and stability―leaders need to make timely decisions while also being an anchor for their teams. 
  • Prioritization―not everything needs an immediate response. We need to be deliberate about what we do. 
  • Roadmaps―we can still use the tools we created map out where we want to go. 

The panel also shared how telehealth, transparency, teamwork, focus, and reflecting on “whole lives” in policy making assisted them in navigating their teams and providing the best services possible. 

Keynote―health equity 

Dayna Bowen Matthew provided a solid argument on how Medicaid can be key to achieving true health equity in America. She discussed the four “Ps” that can make this possible: Population, Position, Payer, and Persuader. She used the COVID-19 pandemic as her example of how it hit the vulnerable population first, and how we could have learned from it. 

Instead, it is being unleashed on the broader population. The work must begin with us, expand to our teams, policies we can control, and then policies that need a collaborative approach to change and implement. If you attended the conference and have access but missed this talk, I highly recommend listening to it as she covered a lot of very pertinent material. 

Member perspectives 

Sprinkled through the entire conference were videos of Medicaid members’ perspectives. I appreciate the tradition of bringing the human element of Medicaid’s impact into the conference, as it reminds us of our purpose. The perspectives also underscore another important theme of Matt’s: “Medicaid is a program about people, not statistics.” Examples of stories we heard include how someone went from 28 years of incarceration due to an armed robbery conviction to graduating from a university and now working with people; a hockey coach’s accident that paralyzed him from the neck down; a homeless mother gaining security and stability; a foster parent with a son having a rare brittle bone disease and a Native American parent with health access issues. 

Economy 

There were a couple of sessions related the economy, and generally, the presenters thought the biggest impact to Medicaid is yet to come. They said that there is typically a lag between events and member enrollments and the surge is still coming. They also agreed there was strong federal support from outside of CMS that kept their enrollment down. Membership growth is likely coming as state budgets are constrained. There are hopes for additional federal assistance within Medicaid, including an extended FMAP, and a similar package from last spring. The lack of certainty in regards to consistent funding is causing the states to spend a lot of energy developing back up plans. 

The panelists think the biggest economic challenges are yet to come is based upon three main reasons: the high chance of a recession, the impending (third wave) virus impact, and the social unrest exacerbated by the pandemic and systemic racism. These are merging perfect storms causing directors to look for stability and relief. I think the best summary I heard of how to proceed was open the book of “good ideas for bad times” that were not well thought of during good times. 

Public health emergency―COVID-19 pandemic 

As would be expected, COVID was a recurring topic in almost every session. There was a very interesting panel discussion on how best to “unwind” the changes made once we arrive in the post-pandemic era. There will be lots of challenges, and it is worth discussing these now, while we are still in the midst of responding to the immediate needs to address the virus. We are aware there will be systemic and program reversals. However, it will not be as simple as just doing a rollback. States will need to develop their strategies for redeterminations of their member populations and the timing will need to be coordinated. CMS will need to prepare guidance on expectations for unwinding. Programs will need to be reviewed and decisions prioritized on what needs to be changed. 

Prior to getting to post-pandemic era, states know they will need to plan for managing vaccine distribution, which will be one tool to help bring the curve down. According to former senior officials from the Trump and Obama administrations, the worst pandemic phase is coming this winter. However, there is “light at the end of the tunnel” because of optimism on a vaccine and other tools. We know more in this upcoming wave than the first wave in March. According to these officials, the sciences cannot get us through without a human element. And the human element can save a lot of lives. 

As Scott Gottlieb, MD, former FDA Commissioner, said, “We just need to stop breathing on each other.” He was implying that we need to socially distance and wear masks, while we wait for the vaccine come around and be distributed. The challenge is, according to Andy Slavitt, Former Acting Administrator for CMS, that the vaccine will not be available to the majority of the population for two to three months, and by then, if humans do not continue to change behavior, the spread could go to 30-40% of the population. They predict the pandemic will be at its worst point when the vaccine is made available. 

Seema Verma, the CMS Administrator, said the PHE has shown that we have the ability to work faster. She wants to ensure we heed the lessons of the pandemic, and in particular the experiences with the spread and deaths in the nursing homes. She feels that the issues in the nursing facilities cannot be fixed at the federal level. She sees CMS’s role is to encourage innovation at the state level, while the federal government hold states accountable to costs and positive outcomes and quality. 

Other concerns panelists raised regarding the pandemic are the long-term and downstream ripple effects of responding to the pandemic. For example: 

  • States know their members have delayed, deferred, and simply foregone healthcare over these past several months. This will create a surge in treatment at a later date, causing increased demand to an already fatigued provider community.
  • The reduced health of the general population resulting from not receiving the right care now and delaying care will further harm the well-being of the population. 
  • Our education system has gone mostly online, adversely impacting students’ ability to learn. 
  • The overall mental health of our population is at risk—the pandemic has changed all of us, and we will learn to what extent it is harmed us over the next several years. 

Looking ahead―there is hope

Several of the panels spent time discussing what our future might look like. It was encouraging to hear how there is a vision for long-term care delivery changes, meeting behavioral health needs, emergency and pandemic preparedness approaches, and addressing workforce challenges and healthcare inequalities. When asked to name one or two words that will represent where we are in five years, the panelists said: 

  • Lead and Succeed (#leadandsucceed) 
  • Survive and Thrive (#surviveandthrive) 
  • Even Better Together (#evenbettertogether)

We are in this today, and we are together, keeping the eye on our “true North”. Doing so will help us remain together and make us stronger in the future. The key is that we remain together. The conference showed that even though we could not be together in the same geographic place, our minds, attention, and spirit are aligned. We experienced the spirit of NAMD from our homes. 

We know that the future holds opportunities for us to be physically together in the future. We missed being in DC this year, and are very hopeful we will see you next year. That will be icing on the cake, which we will savor and not take for granted. Until then, I am confident we will maintain our integrity and focus on our purpose. 
 

Article
NAMD 2020 reflections: Together towards the future

Read this if you are in a management role at a state Medicaid agency.

States are facing unique pressure on resources and budgets due to the COVID-19 pandemic, coupled with potential uncertainty following an election year. Healthcare innovation and transformation is one route state Medicaid agencies (SMAs) may take to minimize operational costs and improve access to services. Here are some tactics, flexibilities, and practical steps to help realize innovation during this time.

US Supreme Court Justice Louis Brandeis is credited in 1932 with popularizing the phrase that states are the “laboratories of democracy”. In this case, Medicaid may be the ‘laboratory of health policy and innovation", in part as state Medicaid and Children’s Insurance Programs (CHIP) are collectively the largest US healthcare payer, covering 74 million individuals.

In 2020, states have faced the dual challenge of a public health emergency and corresponding state budget uncertainty, squeezing resources just as projected state revenues have dramatically shrunk. SMAs must be creative to meet competing priorities: administering their programs while responding to the public health emergency. Here are some tactics, flexibilities, and practical steps to help realize innovation during this time. 

Reimagining funding for state Medicaid agencies

Identifying a source of funding is often challenging. Three options to consider include:

  1. Advance Planning Documents (APDs)
    While strictly for information systems, APDs can unlock 90/10 match for Development, Design, and Implementation (DDI) or a 75/25 match for operations. This funding is above most state Federal Medical Assistance Percentages (FMAPs). Realistically, program changes generally require system changes too. Consider reviewing whether you could tie the initiative to Medicaid Information Technology Architecture (MITA) business process maturity and/or outcomes-based system certification criteria. Linking personnel, training, project management, and any equipment for system needs into an APD can be an effective way to help fund the process and system changes.
  2. Partnerships
    An SMA can look further afield if sister agencies have funds available. This is especially true if braiding federal payment streams is an option. For example, many developments that benefit Medicaid can also help CHIP. The federal matching rate for state CHIP programs is typically about 15 percentage points higher than the Medicaid matching rate.  
  3. Certified Public Expenditures (CPE)
    Under 42 CFR § 433.51 and the Social Security Act, another governmental entity besides the SMA can contribute state matches allowing the state to draw Federal Financial Participation (FFP). One option can be another governmental entity using state dollars at the state, county, or even local level, to deliver health services (if covered under the Medicaid state plan) to Medicaid members.  

Interagency cooperation to generate savings in the health and human service (HHS) space will be the topic of a forthcoming article.

Getting help: Communications planning and the role of project management

As SMAs pursue more complex initiatives such as addressing Social Determinants of Health (SDoH)—collaborating not just with providers but with other public agencies, community organizations, vendors, federal partners, advocacy groups, and health systems—the need to coordinate such a diverse circle of stakeholders increases. Demonstration projects, system implementation efforts, and major healthcare initiatives in particular, require coordination of stakeholders throughout each project phase.

Health and human services (HHS) organizations sometimes underestimate the role of project management. For example, project management is often seen as simply “making sure things are complete” by the deadline, but there are other advantages such as establishing efficiency, improving the quality of service delivery, controlling costs, and better coordinating staff for the SMA. With stretched public workforces and more tasks in the current business environment, you want to get as much done—preferably faster, cheaper, and with less risk—and deliver the expected benefits. 

Guidance on priorities from senior leadership can help organizations establish clear and visible sponsorship to help establish success. Strategic change needs a strong champion within the SMA who has the ability to convene key stakeholders and keep projects on task.

Procuring the tools

After determining funding and before executing a project, you prepare by getting the tools you need—whether tools that involve systems, subject matter experts, or general project assistance.  If the Request for Proposal (RFP) process is not an option, consider whether a pre-qualified vendor list or cooperative contract vehicle would work for you. Cooperative contracts are increasingly popular at the federal, state, and local levels. A few cooperative options include:

The solution is strategy

Keeping Medicaid innovation moving forward requires strategic focus that combines funding, communications, project management, and procurement. The strategy you develop can help the outcome of the initiative to be greater than the sum of its parts. By using all available tools, including those discussed here, your SMA can prioritize innovation.

Next steps

  • Evaluate your program and identify initiatives to prioritize in the coming year. Ask your CMS contact about the latest applicable guidance. 
  • Develop APDs to help fund technology needs for initiatives, along with training your SMA team and providers. 
  • Implement a communications management approach to engage stakeholders.
  • Marshal project management resources and develop a realistic and achievable roadmap to success.   
  • Explore agency contracting vehicles, cooperative contracts, and other procurements tools. 

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team
 

Article
The solution to help Medicaid innovation moving forward

CYSHCN programs have new care coordination standards―how does your agency measure up?

On October 15, 2020, the National Academy for State Health Policy (NASHP) released new care coordination standards for Children and Youth with Special Health Care Needs (CYSHCN) programs. The National Care Coordination Standards supplement the National Standards for Systems of Care, helping to ensure that children and youth with special health care needs receive the high-quality care coordination needed to address their specific health conditions.

The standards also set requirements for screening, identification, and assessment, a comprehensive shared plan of care, coordinated team-based communication, development of child and family empowerment skills, a well-trained care coordination workforce, and smooth care transitions. 

What do the standards mean for CYSHCN programs

The National Care Coordination Standards are more than guidelines for CYSHCN programs; aligning with the standards can lead to operational efficiencies, greater program capacity, and improved health outcomes. The standards can serve as a lens for continuous improvement, highlighting where programs can make changes that reduce the burden on care coordinators and program administrators.

However, striving to meet the standards can be challenging for many programs—as the standards develop and evolve over time, many programs struggle to keep up with the work required to update processes and retrain staff. Assessing a CYSHCN program’s processes and procedures takes time and resources that many state agencies do not have available. Despite the challenge, when state agencies are the most strapped is often when making change is the most needed. A shrinking public health workforce and growing population of CYSHCN means smooth processes are essential. To take steps towards National Care Coordination Standards alignment, BerryDunn recommends the following approach: 

A proven methodology for national standards alignment

There are many ways you can align with the standards. Here are three areas to focus on that can help you guide your agency to successful alignment. 

  1. Know your program
    It can be easy for processes to deteriorate over time. Process mapping is an effective way to shed light on current work flows and begin to determine holes in the processes. Conducting fact-finding sessions to map out exactly how your program functions can help pinpoint areas of strength―and areas where there is room for improvement.
  2. Compare to the national standards
    Identify the gaps with a cross-walk of your program’s current procedures with the National Care Coordination Standards. We assess your alignment through a gap analysis of the process, highlighting how your program lines up with the new standards.
  3. Adopt the changes and reap the benefits
    Process redesign can help implement the standards, and even small adjustments to processes can lead to better outcomes. Additionally, you can deploy proven change management methodologies programs that ease staff into new processes to produce real results.

Meeting national standards doesn’t have to be complicated. Our team partners with state public health agencies, helping to meet best practices without adding additional burden to program staff. We can help you take the moving pieces and complex tasks and funnel them into a streamlined process that gives your state’s children and youth the best care coordination. 

Article
Using process redesign to align with new CYSHCN standards