Interview with Czech General University Hospital CIO
Czech General University Hospital is already using cloud technology and machine learning, as well as deploying chatbots. In a typically conservative industry, such an example of digital transformation is a true anomaly. We sat down with the hospital's CIO Vlastimil Cerny to discuss why and how this change took place. This is the first in our series of interviews with leaders of digital transformation initiatives in CEE. The series is aimed at informing readers about successful transformations, what the decision-makers at these companies have done right, what they see as key priorities, and what challenges they face.
First, let me thank you for agreeing to do this interview and enlighten others who would like to transform their business. To begin, what new technologies have you deployed?
We have deployed a machine learning solution to improve 3D modelling of tumors. There is obviously still a human factor, you can't get rid of that, but now the machine learning algorithms are doing the time-consuming and repetitive part of the job, so that the physicians can focus on other tasks. We have also introduced powerful BI tools, so that we can now access and analyze data about quality of care almost entirely online. And all these new developments have been enabled by our migration to cloud. We now have the majority of our data in the cloud, which may be unique in the Czech hospital sector.
When it comes to cloud, one of the most common concerns noted among stakeholders in IDC surveys still tends to be security. What is your take on that?
Every time we have these discussions on cloud security, I say: Go to Facebook or YouTube and find a video from the datacenter of some large cloud company. Look at the video, and then if you still think that we have a similar datacenter here at the hospital, then we can talk again. If they have a better one, then the security there will likewise probably be better.
For me, cloud services solve a lot of operational problems. I don't need to think about all the operational minutiae, and we have a lot of data in cloud – something around 21 peta bytes. It solves also problems with VPN access, physicians and other employees can access it everywhere from the cloud.
In fact, the cloud can serve as an ultimate back-up. Even if, God forbid, our core systems and servers should shut down for some reason, users would still be able to access the information via their smartphones.
And how do you persuade users to "migrate to new ways of doing things", such as not playing ping-pong with files via email, but instead to work on collaborative platforms such as Sharepoint or OneDrive?
I have a simple philosophy. I test new technologies on our CEO (after we go through some beta-testing). And if it works, then she acts as an evangelist. If hospital staff come to her a bit disgruntled, and she tells them that she is using the technology personally without any hiccups, then the discussion usually ends. Our CEO actively uses her data in cloud, sending cloud attachments with emails, and the staff regard that as a sort of positive example.
So, the most important thing to have when adopting major technological innovations is support from the CEO. Is anything else critically important?
Apart from CEO support, I think the key is the overall perception of the IT department in the organization. Unfortunately, in some hospitals IT is viewed as “just another support process”. Like you have a kitchen, cafeteria, boiler room, laundry room… and IT on the same level. If IT is not viewed strategically, then you have a problem. So apart from the CEO's support, the CIO needs to view IT as a potential competitive differentiator.
I think that, in this sense, we are really making a difference and we are a leader in the Czech hospital sector. For instance, we are already pursuing GDPR compliance, not treating it just as a pro-forma exercise.
Apart from general staff perception and the CEO's support, a key element of success is the IT staff. You need people who are attuned to business processes and not just “IT guys”. When I started here, I asked during one of the first meetings of the IT department “Who is specialized in LoB applications? Who is specialized in ERP?” No one was. Then you find out that the people don't really know the processes, and they are not interested in them. IT for them is about whether servers, operational systems, and SQL servers are working. And that's the end of it. So it was a great change to expect IT people to be interested in processes and require them to operate as an internal service delivery. I also had to stress that we should be forthcoming towards users and solve their problems — not operate in a bunker mentality.
How long did it take the team to change and acquire the needed skill set?
It took a year, and, unfortunately, very few people have been willing to change. In addition, some people expect the public sector to be a “safe harbor”, and assume that no one will be expecting much from them in terms of deliveries. For instance, we have introduced new metrics for measuring the quality of support we give to users. We have a service desk, ITIL processes, SLAs, and we measure feedback from customers — every help desk query has feedback about “customer” satisfaction levels. And the deployment wasn’t easy, the IT department was anxious about feedback. But until you have feedback, you can't be sure about the quality of the service you are providing.
So this can be also used to benchmark the service desk employees?
Yes, it can.
On the other hand, it must be hard for service desk employees to have the same conversation 70 times, explaining that a certain issue has to be solved in a certain way…
Well, since we are discussing this, I should probably mention that we are now deploying three or four chatbots, one of them integrated into service desk functions. Combined with some FAQ pages, they should be able to solve many of the more common questions.
When you came as a CIO, there were obviously a lot of legacy systems demanding attention. How long does it take for a new CIO to finish the first “digital transformation” project?
Well, the problem is legacy systems, especially the limits created by contractual agreements which are already signed. If you have 95% of your ICT budget already allocated, you have a problem. Fortunately, this was not the case with our hospital. I came on board last March, and I had two months to figure out how to proceed with our major contractual agreement. I considered both CAPEX and OPEX options. I needed to map the situation, I needed to persuade management, and I needed to overcome opposition from the former IT team. But we signed the cloud agreement in May, the first implementation was in June-August, we migrated first user accounts (including the CEO's) in August, and the mass migration came in September. We migrated 6,500 people in a fortnight. And this not only involved Office 365, it is a rather large project… we also implemented MS System Center and MS Intune for mobile device management (including BYOD).
I imagine that BYOD must be hard to implement in an organization like a hospital. How many people are using that?
All employees have their own mailbox, so all have access to their data on their own devices, and for the key employees we have multi-factored authentication and management of personal devices. We can do a selective wipe (hospital data only) on their own devices, we can distinguish between private and enterprise data, so that we can protect the hospital’s data even though it is downloaded into a personally owned device (for instance, you cannot save enterprise content into your private folder). We also enforce encryption and authentication. We can do this not only for smartphones, but also for tablets and PCs. We are always explaining to users why we enforce certain things and why we need a certain degree of control over the device, so that they are not worried that we might survey their personal activities. But to return to the scope of the original project – we also have MS Advanced Threat Analytics, which monitor users and analyze their behavior and then report anomalies. So, for instance, if someone is accessing something at night (which is not typical for him), it is flagged. In this way, we have already detected some phishing cases.
Speaking of threats, when we are doing a survey, respondents often identify their own employees as the biggest threat. Do you have a similar situation?
Well, in terms of data leakage, this usually starts with employees. Either the data can be stolen or they may be reckless. On the other hand, thanks to cloud and shared infrastructure, our employees are more protected, because mail is pre-checked, including their attachments and links, and the majority of malware is detected before they have a chance to open it. We no longer have to solve incidents with anti-malware protection on Exchange, as this is done by our cloud provider. So, while the employee is a liability in terms of being susceptible to phishing, our internal users do not represent a threat in terms of being hackers.
So employees tend to be an involuntarily threat? You don't typically have issues arising from malicious intent?
No, they really have no reasons for revenge against employer. It is not common.
What about patient data – wouldn’t it represent a lucrative commodity?
Internal users usually have their access limited only to the cases that are pertinent to them. And for an external hacker, it would be very hard to penetrate. First, you would have to access the VPN tunnel. Then you would have to access some computer that would allow you to see the data, which would require an additional login. It would not be easy. I would also say that since we have a public system of health insurance, this kind of data might not be as valuable as in some other countries that have a private insurance system.
Shifting gears a bit – you are already operating in the cloud and using machine intelligence both as a support for core processes and through chatbots. What is next? What new opportunities do you foresee?
For the moment, we need to perform a sort of “house cleaning”. We still have around 200 apps, and so we are now trying to rationalize. One way we’ve accomplished this is to operate in cloud first solutions. The next big project will be the modernization of NIS (hospital information system). Thanks to my professional background, I know quite a lot about worldwide vendors, but even though we have information, we struggle with attracting vendors from abroad to participate in our tenders. Public procurement rules are presenting a challenge. We would like to deploy something which is widely in use in Western Europe. We apply HIMSS methodology, which has seven stages of certification; stages six and seven are not present in CEE so far, but only in Western Europe. We would like to apply this methodology while selecting new NIS, but we'll see how this will fare.
How do you present the added value for patients of these (and other) investments? What difference will they make?
There lies the difference between just an “IT guy” and someone who can view new projects from the point of business processes. Quality of provided care is connected with effectiveness. We are striving to improve the effectiveness of care in order to improve the quality. One example: HIMSS stage four requires basic clinical decision support based on rules engines in at least one clinical service area and for physicians to make better prescription decisions. We are doing some of this. For instance, we have a rule engine system for pharmacological interactions, which, in certain cases, can save lives. Physicians are alerted to avoid unwanted interactions between two or more medications. Another example is the CT scan technology we discussed. It can alert physicians to some irregularity that should be checked. This system is still in the R&D phase, but should go live for clinical use during this year.
And then there are things that are still in the future, but which may present ethical dilemmas in healthcare. For instance, systems that can suggest various clinical pathways for the patients given their anamnesis. This could help the physician make a decision based on data analysis, but there could be also ethical problems. Should they suggest a pathway which is one-tenth of the cost but has a slightly lower life expectancy. Ultimately, I think patients will benefit from going to a hospital that uses predictive analysis and these kinds of diagnostic tools. This presents only one facet of how IT can directly help patients. It is often hard in the diagnostic phase to make the right call, and these innovations can really make a difference.
Yes, this seems very useful indeed. Nevertheless, I assume it might be difficult to get the general public to understand these concepts. They would probably like to have some kind of hospital ranking to tell them where to go.
The ranking of hospitals is an interesting issue; there is considerable opposition to it. You can measure the quality of care according to some KPIs (some of which we have deployed, and we could probably deploy more if we had data from more hospitals). But all these measurements are just support. In the end, it is about physicians, and the best thing the IT department or CIO can do is to give physicians tools to be more effective and deliver better quality care. The quality will not improve significantly in terms of general health outcomes (we already have a very good healthcare system) but it will probably slightly improve.
Speaking about competition, you are certainly among the leading Czech hospitals. Isn't the overall state of informatization in Czech healthcare putting the brakes on your efforts to innovate in your hospital?
Well, in certain cases it can slow us down, for sure. We would certainly welcome a better exchange of data or eHealth in general. On the other hand, if I just waited for the ideal environment to do something, then I would probably not do anything. And if some others join, we will be glad to integrate our efforts with them. It is better to be a trendsetter than trying to catch up with already established trends. For certain technologies, it’s not a question of if, but rather when. Healthcare is one of the industries in which you can tell whether a given technology is mature enough for deployment. Hospitals tend to be very conservative and careful for good reasons and deploy only technologies that are quite secure.
Yes, we see that in IDC data. But there is also marked regional differences in adoption rates. Compared to Western Europe, CEE is slow to adopt.
That is mainly because of the prevailing view to see IT only as a “simple support” process. It may be also about people — you simply can't move forward with old fashioned “IT guys”. The worst thing for those who are trying to initiate change in a large organization is to go through the IT department. They may be the first to oppose such a change.
It comes down to worksource then. But IT employees could be the first to profit from the change. They cease being just “IT guys with a cables and screwdriver” and get a lot of time to pursue innovative products. Their hands are freed by the transformation, so they should be thrilled.
There are few of them who are thrilled. A large portion has been unable to embrace change.
So, to execute change you need to change the staff?
It is not that you would need to fire people en masse, those unable to cope will usually leave by on their own. Then again, there are people who are “awakened” by the change and undergo change themselves. And then there are people who come from outside and are surprised how much innovation is going on here. But it is difficult to persuade job seekers that the hospital is a place where cool new innovations are happening. We are not viewed as an opportunity to get a good reference for your CV; we are not recognized as a “trendy” employer. This is a problem for the public sector in general. Yet, on the balance, people here have the opportunity to work on much more interesting projects and technologies than what you might typically find in some more “glamorous” sectors.
Thank you very much for your time. We wish you all the best in the next phases of your digital transformation efforts.
For more information on IDC CEE public sector research, which helps vendors and end users alike to tackle the challenges of digital transformation, please contact Jan Alexa (firstname.lastname@example.org).