Skip to Main Content


Texting in healthcare? Best be secure.

By: Dan Vogt

Texting has become a simple, convenient, and entrenched component of our everyday lives. We use it with family, friends, coworkers—and clients. My wife and I text to coordinate day care pickup and drop off of our kids every day. It is a quick and easy alternative to our large, and sometimes overwhelming, volume of email.

And with that convenience comes the temptation for clinicians, care teams, and healthcare providers to communicate sensitive content via text in the workplace. The ability to take a photograph of a wound and share with a colleague for a consult is convenient and effective. The number of patients who want to text a non-urgent question to their providers is also growing, particularly with younger patient populations. Population health teams who want to better engage patients may see texting as an easy format to achieve that.

The problem? Texting is not a secure communication method. The native SMS (short message service) used by many phones, including iPhones (at times), is not encrypted, and messages are sent in plain text over cellular networks. SMS messages are vulnerable to “man-in-the-middle” attacks, in which a third-party eavesdrops or potentially manipulates a conversation. The native message format of iPhones has security risks, too. And when a text message contains protected patient information or images, these risks become significant.

On December 28, 2017 CMS released clarification on text messaging. The highlights:

  • Texting is permissible between care team members if accomplished through a secure platform.
  • Texting of orders: prohibited.
  • Computerized Physician Order Entry (CPOE) is the preferred method of provider order entry.

The first bullet allows some consideration of text messaging but with an important caveat: you must use a secure platform. The last two bullets steer providers to using their EHR systems.

What should you do if you find yourself in a position where text messaging has crept into your culture?

  • Establish a policy to govern the use of text messaging and update your mobile device policy.
  • Determine whether you will implement (and allow your care team to use) a secure texting platform or prohibit texting all together.
  • Consider how secure texting impacts your policies and procedures related to data retention, discovery, and the legal health record. 
  • Educate your patients about secure messaging available on your patient portal.
  • Assess your organization’s usage and level of risk.

  • Stop using unsecure text messaging for patient related communications.

For more information, contact me.

Related content:

Watch our video on adopting technology for success
Read Dan's article on soft cybersecurity skills.

Read this if you are an IT Leader, CFO, COO, or other C-suite leader responsible for selecting a new system.

Vendor demonstrations are an important milestone in the vendor selection process for organizations assessing new software systems. Demonstrations allow you to validate what a vendor’s software is capable of, evaluate the usability with your own eyes, and confirm the fit to your organization’s objectives.

Pre-COVID-19, such demonstrations would generally take place in person. During the middle of COVID-19, remote demos were the only option. Today, organizations have choices between in-person or remote demos. Given staffing challenges and vendor schedules, remote demos can be more efficient and flexible and are a choice worth considering.

Here are some of the key success factors and lessons learned we found conducting and completing remote demonstrations.

  1. Prepare thoroughly for your remote software demo
    Establish a clear agenda, schedule, script, and plan prior to demonstrations. This helps keep everyone coordinated throughout the demos.
  2. Test the software vendor’s videoconference system
    It’s important to test the vendor’s videoconference solution from all locations prior to the demonstrations. We test with vendors a week in advance.
  3. Establish ground rules for the demo
    Establishing ground rules enhances meeting effectiveness, efficiency, and timeliness. For example, should questions be asked as they come up, or should participants wait until the speaker pauses? Should the chat function be utilized instead?
  4. Have clear roles by location
    Clear roles help to facilitate the demonstration. Designated timekeepers, scribes, and local facilitators help the demonstration go smoothly, and decrease communication issues.
  5. Be close to the microphone
    This is common sense, but when you’re in a virtual environment and you may not be on screen, be sure that you’re close to the microphone and are speaking clearly so everyone can hear you.
  6. Ask vendors to build in pauses to allow for questions
    Since vendors may not be able to see a hand raised, asking vendors to build specific pauses into their demonstrations allows space for questions to be asked easily. Consider designating a team member to monitor for hands raised and to interject so that a question can be asked in a timely manner.
  7. Do a virtual debrief
    At the end of each vendor demonstration, we have our own virtual meeting set up to facilitate a debrief. This allows us to capture the evaluation notes of the day prior to the next demo. Planning these in advance and having them on people’s calendars makes joining the meetings quick and seamless.

Observations and other lessons learned from remote vendor demos

After facilitating many remote software vendor demos, we’ve identified these lessons learned unique to virtual demos. 

Visibility is actually better with remote demos
Virtual demos allow everyone to see the demo on their own screen, which actually makes it easier to see than if you were doing the demo on-site. 

Different virtual platforms require orientation
We want vendors to use the tools they are accustomed to using, which means we need to use different products for different demonstrations. This is not insurmountable, but requires orientation to get used to their tools at the start of each demo.

Establishing the order in which team members provide feedback is useful
It’s helpful to establish an order in which participants speak and share their thoughts. This limits talking over each other and allows everyone to hear the thoughts of their peers clearly.

Staying engaged takes effort
Sitting all day on a remote demo and paying attention requires effort to stay engaged. Building in specific times for Q&A, calling on people by name, and designing the day with breaks can help people stay engaged all day.

Remote software demos can be highly successful, accomplish your goals, and help you meet critical timing milestones. We’ve found that post-COVID-19 when remote demos follow the guidelines above, they are often more efficient and engaging than if they had been conducted on-site. If you need assistance in implementing a healthcare IT solution, our team would be happy to help. Learn about our services. 

Hosting efficient and engaging remote vendor demonstrations for software solutions

Read this if you are considering an EHR system implementation.

Recently, we were working with a client project team on an electronic health record (EHR) system implementation across multiple locations. We were reviewing the results of integrated and unit testing and it was apparent that more testing was needed—but not enough timeline remained before the go-live. The decision was made to delay the go-live. It was the right decision to make as now the team had the time to have a more fully tested and ready system. However, the CIO was concerned that a delay in the go-live would reduce the urgency and effort the project team had been putting in.

We told the client that they needed to go the same speed, and just needed more road. “Same speed, more road” became our battle cry for the remainder of the project, and after a two-month delay, we had a successful go-live.

Organizations are often hesitant to think about changing the schedule or delaying a go-live. It is an understandable hesitation as many things are tied to the schedule including conference room reservations, vendor travel, reduced patient schedules, and even vacation blackouts. However, using the project schedule should be at the forefront of an organization’s project management toolkit. 

The Iron Triangle of project management has three primary variables: scope, schedule, and resources. And in the center of them is the quality of the project. 

In the current healthcare environment, hospitals, nursing homes, and health systems may find it challenging to consider scope or resources as primary tools. 

  • Scope
    Whether you are a hospital replacing multiple EHRs with one, or a nursing home replacing paper charts with an integrated EHR, the foundational scope needed is large and expansive and with few items that you can pare back. The required scope limits your ability to use a reduction in scope to improve project outcomes.
  • Resources
    Between the significant staffing shortages across healthcare and the financial headwinds health systems are facing, resources are scarce. In the face of these challenges, using resources as a primary tool to keep a project on track presents its own challenge.
  • Schedule
    A schedule is the most available tool to use to keep an EHR project on track. While this is a tool not without limits, challenges, or problems, planning for it from the onset of an EHR project is key to successful implementation. 

EHR system implementation schedule flexibility tactics

To have schedule flexibility as a readily available tool for your EHR project, here are tactics to set you up for maximum success:

  • Realistic timeline
    EHR vendors often provide you with timelines that may be realistic to achieve under ideal conditions but may fall short when reality sets in. Reviewing and planning an EHR implementation timeline with your preferred vendor in advance of contract signing is beneficial. You should look to incorporate known constraints, known risks, and sufficient contingency time to keep the project on track when issues arise. For example, if a vendor provides you with a six-month implementation time frame that starts in October and concludes in April, it may not account for the disruption the fall and winter holidays could have in shrinking the actual number of project weeks within that six-month window. 

    If you anticipate a survey window during a particular point in the project and have no contingency time to redo a project even if the surveyor shows up, that could cause problems. Also, when reviewing the timeline, look at the time between each testing event and the scheduled go-live. If there is not sufficient time between each of these important project milestones, you will not leave yourself enough time for defect resolution or an additional testing event without having to change your go-live date. By setting a realistic timeline with sufficient slack time between major events, you increase your likelihood to address issues and maintain your planned go-live date.  
  • Effective contracts
    Negotiate contract provisions with your preferred EHR vendor to give you schedule options that are not overly punitive to your health system. Contract provisions that allow you to delay if the vendor has challenges that warrant the delay without financial penalty are essential. You will need clear acceptance criteria that must be achieved in order to go live and set expectations for how schedule changes would be addressed if you need to delay for your own resources. Without planning the options in advance of the project, schedule changes and delays can become overly contentious with the vendor and costly to your health system.
  • Set priorities
    Work with your senior leadership, medical staff, and board to understand how the schedule may be used as a tool for project success. Describe how, why, and when a project delay may be used. Get everyone on the same page with the go-live criteria that will be used, conditions that would warrant a delay, and how the timeline will be used to bring about a successful go-live. 
  • Know why
    No EHR go-live is perfect or risk-free. It is all about acceptable levels of risk in order to proceed to go-live. Be clear and differentiate between being nervous and needing to delay. Use your go-live criteria, your risk and issues logs, and the input from senior leadership and staff to establish if you are just nervous or are actually at a risk level that warrants a delay. 
  • Be better
    Delaying and doing nothing differently can make you run later and more expensive, but no more successful than had you gone live on the original date. At a minimum, embracing the “same speed, more road” battle cry is warranted with a delay. There is no slowing down, taking a break, or stepping back. If anything, depending on your situation, it may warrant “faster speed, more road” to be successful. This can come in the form of daily project huddles, repeated pulse surveys, dedicated events focused on resolving project issues, additional testing events, and any recurring meetings between your leadership and the EHR vendor’s leadership team. When you delay, have a clear plan of attack for improving the project.
  • Try not to kick the can
    If you are facing a project delay, it can be very tempting to want to delay it as little as possible. This is understandable as everyone has been working hard and wants to reach the go-live date. Be cautious and confirm your delay is sufficient to address the risks, issues, and tasks needed to improve the project. Medical staff and colleagues will be tolerant of a delay to achieve a successful EHR go-live but will grow wary if you must delay repeatedly. When you make a delay call, build a plan and schedule with sufficient time, including contingency time, built in. It is better to be ready and confident early than have to face the challenge of a repeated delay.

EHR implementations are hard, stressful, and intense endeavors. They overturn nearly every process in your health system. By the time you approach go-live, people are ready to get there and hesitant to make changes. However, you may not be ready to go live successfully. The scope of the project may not be able to be reduced and additional resources may not be available. Using schedule flexibility to your advantage may be your best option for a successful go-live. Know why, how, and when to use this tool—and communicate clearly and broadly to your organization—and success can follow. 

Same speed, more road: Why using schedule flexibility is key to a successful EHR implementation

Read this if you are considering an Electronic Health Record (EHR) system implementation.

The go-no-go decision is a pivotal milestone in an EHR implementation. The meeting is years in the making. You’ve evaluated EHR vendors, signed a contract, waited for the implementation to begin—and then spent the better part of a year battling through the hard work of an implementation. Your team will be tired, stressed, and very focused on reaching that goal of the go-live event. The team has very little desire to have the project go on any longer than needed. The EHR is built and tested. You are likely focused on finalizing the training plans for your providers, nurses, and other end users. You may be in the process of lowering patient schedule volume for the go-live window. 

The desire to go live can cause both the vendor and your team to want to downplay the go-no-go decision and just proceed. Whatever you do, avoid that impulse. 

The go-or-no-go discussion: an EHR implementation best practice

Take the time to have the discussion of whether to go live or not. Doing so is an implementation best practice. It allows your team to step back and ask some fundamental questions. Are we ready to go live? Is there an acceptable level of risk, being aware that there will never be no risk? When you decide to conduct a go-no-go meeting, here are some points to consider:

  • Acceptable level of risk
    As the reality is that no go-live is risk free, you’ll need to assess if there is an acceptable level of risk with your leadership team. This will vary by the specific risks and issues of your project and the specific conditions at your health system. For example, if the testing results for charge capture and claims testing are less than desirable and the financial health of the hospital cannot tolerate a significant impact on cash flow, it may not be an acceptable risk at this time. Or, if your orthopedic group or surgical team are both influential groups of leaders and high revenue generating departments and their order sets, charges, and documentation templates are not yet built, it could be a reason to delay. Acceptable risk is not clear cut and varies from organization to organization. By focusing on the risks and issues, you can determine as a team if the risk is acceptable.
  • Continuation bias
    Continuation bias is the unconscious belief that you should continue with an original plan (such as a go-live date) despite changing conditions. In aviation, this can lead to flight crashes when weather changes. Similarly, it can lead to failed EHR projects if, for example, the testing results were low, the defects were not quite resolved, and the system was not quite ready. To reduce charging forward, discuss the concept of continuation bias in advance with your leadership team. Discuss openly if you believe it may be creeping into your thinking. Use the written risks and issues for the project to guide your decision-making much like a pilot would look at the current weather conditions before deciding to land the plane.
  • Contingency plans
    Mitigation plans reduce the risk from occurring and negatively impacting the project. As you get closer to a go-live event, you will want to document contingency plans for what to do if the risk occurs after go-live. By documenting contingency plans, you can identify which, if any, contingency plans are not realistic. For example, if Accounts Receivable is disrupted and cash flow is slowed, your contingency plan might be to use your line of credit. However, if your line of credit is fully used because of the recent construction project, that contingency plan is unrealistic. If you have unrealistic contingency plans and the likelihood of needing that plan is high, you may not be ready to go live. 
  • Around the room
    It is important you allow all the voices of your leadership and project team to be heard. It is possible that some people believe you are ready to proceed while others do not. Working through the differing opinions until you have general agreement to either proceed or delay will help your team get behind the decision. Silence is not an option during this session and all leaders and perspectives need to be heard and understood. This better prepares you to lead your health system through the subsequent steps and minimize any Monday-morning quarterbacking. 
  • Readiness survey
    Your leadership and project team may not see all the reasons for proceeding to go live—or choosing to delay. The wider group of employees and those involved in the implementation may see important information that should be taken into consideration. An electronic readiness survey prior to your go-no-go meeting is an effective tool for gathering this information. It can be as simple as a readiness Likert scale and some open-ended questions about readiness and top concerns. Survey responses can provide your leadership team with a deeper level of information to inform decisions. 
  • Can you name it
    It’s normal for your team to feel anxious heading into a go-no-go decision. Differentiating between generalized worry and an impactful risk is important. Ask your team to name the risk, describe the risk, and define the impact of the risk. If they are able to complete that exercise with specific details, it may be a risk to consider. If they are unable to share that level of detail, it may be an indicator of just plain old worry, and it may be safe to proceed. 
  • Missed approach criteria
    Even after you make a go decision, there is a small chance you could have a problem occur that would cause you to not go live when planned. The list of factors that would cause you to not go live should be short and defined in advance. For example, if the vendor has a major technical issue making the system unavailable for go-live, if weather prevents any of the vendor team from arriving on-site for the cutover, or if a critical issue that was planned to be resolved before go-live is not. Having these criteria defined and known in advance allows you to use them if something occurs that needs further clarity and agreement with your leadership team.

The go-no-go decision is a crucial step in implementing an EHR system and often can be the difference between success and failure. Planning this step from the start of the project will set you up to have the discipline to complete it when the pressure of the implementation and your timeline is bearing down on you.

EHR implementation: The go or no-go decision

Read this if you are considering implementing an EHR system.

As the era of multiple Electronic Health Record (EHR) systems wanes, the focus is on a single integrated EHR across the health system. This shift is both an opportunity and a challenge for most hospitals and health systems. On one hand, it brings the opportunity of a single view of the patient for a provider, population health at a system level, and greater efficiencies across departments. On the other hand, it requires implementing an enterprise system, changing processes across every department and location, and going live in a “big bang” manner. Historically, hospitals implemented solutions piece by piece over years of time and didn't implement everything within a year. Moving to a single enterprise-wide system represents a tremendous amount of change in a very short time frame. The risk of resistance to change by your people is significant. 

How you address that risk may make the difference in your project’s success. Prosci® has a risk assessment tool that looks at two primary dimensions: 

  • The scope of the change. Is the change small, incremental, or large and disruptive? 
  • The culture of the organization (organizational attributes). Is your organization ready for change or is it change resistant?

Based on the assessment of these two factors you can plot from a change management perspective whether the change is high, medium, or low risk. 

Three components of a high-risk EHR implementation environment

  1. Large disruptive change
    It is a fair assumption that if you implement a new EHR system across your entire health system (that impacts every clinical, financial, and operational workflow), it would be a large, disruptive change. And certainly a high risk from a scope of change perspective.
  2. Change resistant culture
    The next question is what is the culture of your organization? Are your people generally accepting of or resistant to change? How do employees remember past changes? How adept is your management team at leading through change? While the scope of the project is often front of mind, leaders may overlook these very important aspects of your culture. In our experience, many organizations have a culture that is at least slightly change resistant, if not more so, particularly if your workforce has been in place for a long time and has not replaced any systems recently. Many people in your organization may only know the way they have always done things and may not have even had exposure to another EHR system. This sets people up to be inherently nervous and even fearful of what a new system may mean for their day-to-day work and even job security.
  3. Change saturation
    Lastly, you add the change saturation to the mix. Prosci ® defines that as when disruptive changes exceed your capacity to adopt them. For healthcare, the last three years have been a lesson in extreme change saturation. People are tired, burned out, and ready for more stability and less change.

When you combine a significant scope, a change resistant culture, and a high level of change saturation, you have created a high-risk environment for implementing a new EHR. So, if you are a senior leader about to embark on an EHR project, what should you do?

  • Start change management as soon as possible—early recognition that an upcoming change will be challenging gives leaders an opportunity to learn early, engage early, and adopt early. Organizations who engage a wide audience early in a complex change have greater opportunity to communicate answers to “why,” “what does this mean to me,” and “how do I have to prepare “questions.
  • Select the right project sponsor—the single most determinate factor in project success is having an engaged and effective sponsor. The sponsor needs to bring credibility to the change, provide energy to the organization for change, and be visible and transparent as to why this change is needed now.
  • Establish an effective leadership team—for an EHR implementation, the sponsor cannot “go it alone.” An effective change leadership team provides consistent messaging and in-depth knowledge of the change and engages in conversations throughout the organization explaining the need for change.
  • Be active and visible leaders—once the leadership team is established, getting out the word is crucial. Leaders should engage in division and departmental meetings, educating teams on the change and the need for change. Repeat appearances and follow-up communications begin to establish a collective understanding across an organization. Rotating leaders through these communication opportunities also brings different organizational perspectives as to why the change is important. Hearing from different clinical, financial, and operational leaders helps people understand the common themes and current ideas on the necessity of the change. Leaders must engage and empower management to understand and support the change. 
  • Identify and engage supervisors and influencers—most organizations have team members who are very influential within teams and may not hold management positions. Prosci ® says that a direct supervisor is the best communicator to effect change. In addition, influencers may not have the title but the whole team will look to them for indications that the change is good or not. Training these team members on the importance of the change helps them educate their team members and improves their team’s opinions and support for the change.
  • Use vendor backlog to your advantage—vendors are having a challenging time staffing projects that can lead to delays. Use the months you have leading up to project start to focus on change management. Build excitement with your people. Train your leaders to be effective change managers.
  • Rinse and repeat—monitor your change management activities carefully and repeat the processes that prove most effective. Change the content of the messages being delivered, but not the approach on how they are delivered. 
  • Celebrate early and often—take the time to thank your teams. Change can be difficult. Rewarding and recognizing accomplishments, big and small, during the project life cycle builds momentum and desire for the upcoming change. Thanking your people with food is always a crowd pleaser. Be sure to make these celebrations public to share the good news.

Most organizations experience challenges when implementing change and an enterprise-wide EHR implementation is the definition of a high-risk change. Starting change management activities early in a project provides the highest likelihood of reducing change resistance and improving adoption. The goal is to have most team members understand the change, the need for change, the impact of the change, and how the organization is going to support the change. An early start provides the smoothest entry ramp into a new world. 

Assessing the risk and managing the change of EHR implementations

Read this if you are implementing a new Electronic Health Records (EHR) system. 

Electronic Health Record (EHR) implementations are large-scale, high-risk endeavors that can bring wild success or frustrating failure. While there is justifiably a lot of attention paid to clinical workflow, change management, integrated testing, end-user training, and at-the-elbow support, we want to address a far less exciting, but critical component of EHR implementations—unit testing. 

Most EHR implementations use commercial-of-the-shelf software and increasingly cloud-based or vendor-hosted solutions. This software is being configured with little actual custom software development. With this in mind, we define unit testing as the testing of an individual component of configured software. For example, units to test could be a single order, lab test, charge, etc. Integrated testing we define as testing multiple components of configured software through a designed testing scenario to test if the components all work together as expected. 

We’ve seen EHR vendors put an increasingly higher focus on integrated testing and less emphasis on unit testing. With a greater shift towards cloud-based and vendor-hosted solutions, we have seen EHR vendors have a more substantial role in the configuration and build of the EHR software. In this scenario, the client primarily submits data through completed worksheets, documents, and forms to guide the vendors' configuration efforts. 

Expand EHR testing for a more successful outcome

The combination of less focus on unit testing and the higher reliance on vendors doing the configuration puts your health system at risk. Integrated testing is great for testing how the system works together—but is not sufficient for broadly verifying if the vendor has correctly completed the configurations. 

Think about it. How many orders, tests, assessments, medications, charges, and other configured components can you include in a realistic integrated testing scenario? It’s likely that only a fraction of what is likely contained in your order catalog, pharmacy formulary, or charge description master is included. This puts you in a vulnerable situation: the system is configured sufficiently to pass an integrated testing script but not configured at a broad scale. 

An effective treatment for this risk is thorough unit testing. For example, test each medication in the pharmacy formulary, try every order set, drop each charge, try every visit type, or complete each assessment. Unit testing the components will increase your confidence that the system is built and ready to go. Conducting unit testing in the production system can help reduce risk of an error or discrepancy between the build in the non-production and production systems. If you do this, be sure to have a plan with your vendor to address any transactions this may create in the production system. 

Effective unit testing

Here are some tips to help you conduct unit testing effectively:

  • Develop a unit testing plan
    A well-documented plan that outlines the scope, timeline, assigned responsibilities, and performance expectations for unit testing will keep the testing process organized and efficient.
  • Prioritize unit testing
    The leadership team should establish clear expectations that unit testing is an essential component of the EHR implementation process and allocate adequate resources and time to carry it out effectively.
  • Assign responsibility to project leaders
    Ensure that each department head or subject matter expert understands their respective build and the critical components that need to be tested during the unit testing process.
  • Establish a system for documenting results and issues
    Implement a clear system to record and track test results, identify failures, and log issues encountered during testing. This will facilitate efficient communication and help the testing team and the vendor resolve issues.
  • Adopt a no-idle-hands strategy
    Utilize any idle time during integrated testing or project events to conduct unit testing. This will help maximize testing efficiency and identify issues that may have been missed.

While implementing EHR systems is a complex and multifaceted endeavor, unit testing is a crucial component that should not be overlooked. Properly conducting unit testing can greatly improve the success of an EHR implementation and minimize the risk of problems.

Unit testing in EHR implementations: Tips for effective testing

Read this if you are looking at implementing a new Electronic Health Records (EHR) system. 

Not since the early years of the meaningful use incentives have we seen such client activity in implementing new EHR systems. The primary driver for this activity is a strong desire to move away from combinations of multiple different EHR vendors across a health system toward a single, integrated EHR platform from one vendor. Continuity of care, population health, and patient-centric data are trumping a strategy of having niche EHR platforms at the department or care-setting level. Implementing an integrated EHR across an entire health system is a big, ambitious, high-risk project that comes with significant change for your people—even under normal conditions. 

Conditions have been far from normal for most workforces over the past few years. After three years of the COVID-19 pandemic, exhausting work conditions, and the unusual labor market (commonly referred to as the "Great Resignation"), staffing challenges are understandably at an all-time high. 

It is no surprise then, that when we ask clients what some of their top project risks are heading into an implementation, staffing is listed as their number one or two risk. And staffing is not just a risk for clients. EHR vendors are also facing increased employee attrition. 

So, when you combine very large and high-risk projects capable of changing every process for your people with a labor market full of turnover and vacancies, you have a higher risk EHR implementation environment than at any time in recent memory. 

This environment may lead you to think that now isn’t a good time to implement a new system. At times, waiting on the implementation may be the right call for your organization. Maybe you should hang tight for a bit and wait until your team is more stable. 

However, it may not be best to wait. Staying with a combination of legacy EHRs bolted together may not reduce your organizational risk. As viable legacy EHRs are dwindling, the chance that a change in EHR will be forced upon your health system increases. Replacing a system under duress, rather than choosing when to implement a new EHR system, would actually be more stressful and most likely introduce even more risk. 

If you are planning to or are currently implementing a new EHR in these workforce conditions, here are some recommendations to help mitigate staffing and vendor risks and manage, if not strengthen, employee well-being.

Vendor turnover

  • Negotiate provisions
    During contract negotiations, address turnover and vacancies directly. Contractual terms for notification, transition plans, and timelines for filling vacancies won’t prevent turnover but will make it more manageable when it occurs.
  • Meeting summaries
    Direct the vendor to use a consistent meeting summary format and post it to a project portal within a set period of time; this can also help the transition from one vendor teammate to another. 
  • Executive sponsor notice
    Require the vendor to provide notice to your executive sponsor as soon as the vendor knows about staff turnover. This allows leadership to be prepared for the news and lead their team through the staffing transition calmly and from an informed position. 
  • Transition plan and call
    Have vendors document a written transition plan and hold a transition call between the client and vendor resources. This can’t be accomplished with sudden departures but can be with planned departures. 
  • Timeline provisions
    Vendor staffing disruption can be a project risk and can negatively impact implementation timelines. Negotiate timeline change provisions to limit the negative impact on your health system if a vendor encounters staffing turnover. 

Health system turnover

  • Change management
    Focus on deliberate, intentional, and proactive change management. Active and visible sponsorship for the change will help your employees embrace the change to the new EHR. By making the new EHR more exciting and less daunting, it will give employees one less reason to seek employment elsewhere.
  • Have contingency and management reserves
    From a project management perspective, increasing your contingency funds and management reserves can help you account for a higher likelihood of staff turnover, more recruiting, or staff augmentation, if needed. 
  • Establish staff augmentation arrangements in advance
    Identify firms for staff augmentation before you start. Know who you will call to get the talent you need when you need it. Having expectations of contracted rates in advance can help you fill vacancies more quickly.
  • Use your senior team as your coaching staff
    Some leaders and managers will find an implementation more stressful than others, decreasing their effectiveness as team leaders. Assigning senior leaders to different department heads to serve as coaches and mentors can give managers the support they need to get through the implementation.
  • Address weak leaders before the implementation
    In a tough labor market, you may be reluctant to address your weaker leaders for fear of not being able to replace them. Our experience is that implementations don’t often make weak leaders stronger, and their weaknesses will hinder the project. You’ll need to determine if you can coach them up, make the tough call to replace them, or find a leader within their team to step up for the implementation. 
  • Negotiate delay provisions
    While not as easy to negotiate as vendor staff turnover delays, having a defined process for changing the timeline if you need to can be helpful. Provisions of this nature can help you manage the risk and know in advance what will happen if you were to delay the project. 
  • Monitor for the non-project turnover
    Often implementations will have a staffing and turnover plan for people on the project. However, a less obvious staffing risk is turnover of people in departments not assigned to the project. Those turnovers tend to put more non-project work on project team members. Having a plan to resolve vacancies quickly will help you reduce this risk.
  • Have job descriptions ready
    In order to speed up the process to address turnover and vacancies, have job descriptions ready. This can allow you to go to market faster when (not if) you have turnover during the implementation. 

Employee well-being

Large-scale, complex initiatives can place new strains on employees, leading to greater levels of stress, and in some cases, employee burnout. By taking a proactive approach to supporting well-being (physical, mental, social, financial, and professional), the organization can better manage the performance, retention, and interpersonal dynamics of the project team. This can help reduce the risk of project delays and improve overall project outcomes.

  • Prepare people for what to expect
    A large system implementation can be a source of concern and uncertainty. Employees may worry about how the change will affect their jobs and what will be expected of them. There may be fears around how these expectations will impact other personal and professional commitments. Transparency, proactive planning, and an individualized approach can help alleviate fears and reduce stress and uncertainty. 
  • Unite project leadership at all levels
    Inconsistent messaging and decision-making can quickly undermine trust and may trigger cynicism, disengagement, and even animosity. It is imperative that executives and team leaders share a common understanding of project goals, guiding principles, and core organizational values around well-being—and communicate that understanding to the team. 
  • Be intentional about trust
    Trust is a core element of well-being that is built upon authenticity, empathy, and credibility. Make sure to make trust a part of the project as it is also the foundation for the collaboration necessary among the organization, vendor, and implementation partner. 
  • Pulse surveys (Stay in tune with how people are doing)
    Workload demands will shift throughout the implementation. At the same time, personal circumstances of employees will evolve. Maintaining a “pulse” on how the team is doing and being able to quickly respond when teams or individual contributors are struggling can help project leaders and managers stay ahead of disengagement, burnout, and resignation.  
  • Celebrate success and show appreciation
    It can be easy to miss opportunities to celebrate milestones and recognize individual contributors when timelines are tight, and workloads are high. We emphasize the importance of appreciation, celebration, and finding moments for fun throughout the project. 
  • Support for stress management and resilience
    Often, there are opportunities to help staff improve stress management with practical, research-supported activities, such as five-minute breathing exercises, stretch breaks, and environmental changes (brief walking breaks and outdoor meetings, for example) to support stress regulation. 
  • Highlight wellness and well-being resources
    Employees may benefit from existing wellness and well-being resources throughout the project. There may be opportunities to work with human resources or a well-being manager to increase awareness for these resources or design custom programming in support of the project.
  • Promote healthy lifestyle choices
    Implementations are often synonymous with long hours sitting in meetings or at a screen, “always-on” mentalities, and team donuts, pizzas, and bowls of candy. While these behaviors (and tasty treats) may offer short-term benefits, they degrade employee resilience and well-being over time. Small behavioral nudges can make a big difference, such as replacing (or at least supplementing) typical “command center treats“ with healthier options, emphasizing breaks (both throughout the day and PTO), and agreeing to off-hours communication expectations and boundaries. 

It takes strong ambition to take on a large EHR project in normal times. Under the current staffing stresses, it is crucial to be prepared. If you plan in advance for vendor and employee turnover, manage your people deliberately, and focus on employee well-being and change management, you can reduce the risk and increase the likelihood of a successful outcome. 

Implementing EHR systems in high-turnover environments: Steps to mitigate risks

What the C-Suite should know about CECL and change management

Read this if you are at a financial institution. 

Some institutions are managing CECL implementation as a significant enterprise project, while others have assigned it to just one or two people. While these approaches may yield technical compliance, leadership may find they fail to realize any strategic benefits. In this article, Dan Vogt, Principal in BerryDunn’s Management and IT Consulting Practice, and Susan Weber, Senior Manager and CECL expert in BerryDunn’s Financial Services Practice, outline key actions leaders can take now to ensure CECL adoption success.  

Call it empathy, or just the need to take a break from the tactical and check in on the human experience, but on a recent call, I paused the typical readiness questions to ask, “How’s the mood around CECL adoption – what’s it been like getting others in the organization involved?” The three-word reply was simple, but powerful: “Kicking and screaming.”  

Earlier this year, by a vote of 5-2, the FASB (Financial Accounting Standards Board) closed the door to any further delays to CECL adoption, citing an overarching need to unify the industry under one standard. FASB’s decision also mercifully ended the on-again off-again cycle that has characterized CECL preparation efforts since early 2020. One might think the decision would have resulted in relief. But with so much change in the world over the past few years, is it any wonder institutions are instead feeling change-saturated?  

Organizational change

CECL has been heralded as the most significant change to bank accounting ever, replacing 40+ years of accounting and regulatory oversight practices. But the new standard does much more than that. Implementing CECL has an effect on everything from executive and board strategic discussions to interdepartmental workflows, systems, and controls. The introduction of new methods, data elements, and financial assets has helped usher in new software, processes, and responsibilities that directly affect the work of many people in the organization. CECL isn’t just accounting—it’s organizational change. 

Change management

Change management best practices often focus on leading from optimism—typically leadership and an executive sponsor talk about opportunities and the business reasons for change. Some examples of what this might sound like as it relates to CECL might include, by converting to lifetime loss expectations, the institution will be better prepared to weather economic downturns; or, by evolving data and modeling precision, an institution’s understanding and measure of credit risk is enhanced, resulting in more strategic growth, pricing, and risk management. 

But leading from optimism is sometimes hard to do because it isn’t always motivating—especially when the change is mandated rather than chosen.  

Perhaps a more judiciously used tactic is to focus on the risk, or potential penalty, of not changing. In the case of CECL, examples might include, your external auditor not being able to sign-off on your financials (or significant delays in doing so), regulatory criticism, inefficient/ineffective processes, control issues, tired and frustrated staff. These examples expose the institution to all kinds of key risks: compliance, operational, strategic, and reputational, among them.

CECL success and change management

With so much riding on CECL implementation and adoption going well, some organizations may be at heightened risk simply because the effort is being compartmentalized—isolated within a department, or assigned to only one or two people. How effectively leadership connects CECL implementation with tenets of change management, how quickly they understand, then together embrace, promote, and facilitate the related changes affecting people and their work, may prove to be the key factor in achieving success beyond compliance.  

One important step leaders can take is to perform an impact assessment to understand who in the organization is being affected by the transition to CECL, and how. An example of this is below. Identifying the departments and functions that will need to be changed or updated with CECL adoption might expose critical overlaps and reveal important new or enhanced collaborations. Adding in the number of people represented by each group gives leaders insight into the extent of the impact across the institution. By better understanding how these different groups are affected, leaders can work together to more effectively prioritize, identify and remove roadblocks, and support peoples’ efforts longer term.           

No matter where your institution is currently in its CECL implementation journey, it is not too late to course-correct. Leadership—unified in priority, message, and understanding—can achieve the type of success that produces efficient sustainable practices, and increases employee resilience and engagement.

For more information, visit the CECL page on our website. If you would like specific answers to questions about your CECL implementation, please visit our Ask the Advisor page to submit your questions. For more tips on documenting your CECL adoption, stay tuned for our next article in the series, revisit past articles, or tune in to our CECL Radio podcast. You can also follow Susan Weber on LinkedIn.

Implementing CECL: Kicking and screaming

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Oxymoron of the month: Outsourced accountability

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

The three P's of improving your company's cybersecurity soft skills