Pandemic-related policies and regulation, market conditions are top concerns in the healthcare industry
The continuing global challenges and potential existential threat posed by the ongoing COVID-19 pandemic. Political divisiveness and polarisation. Social and economic unrest. Gridlock. Artificial intelligence (AI), automation and other rapidly developing digital technologies. Rapid shift to virtual, remote work environments. Changes in the geopolitical landscape. Shifting customer preferences and demographics. Fragile supply chains. Wildfires and hurricanes. Volatile unemployment levels and record low interest rates. Escalating competition for specialised talent. Immigration challenges. Cyber breaches on a massive scale. Terrorism. Big data analytics. Future of work.
These and a host of other notable risk drivers are all contributing to significant levels of uncertainties, making it extremely difficult to anticipate what risks may lie just over the horizon. Unanticipated events are unfolding at record pace, leading to massive challenges to identify the best next steps for organisations of all types and sizes, regardless of where they reside in the world. No one is immune to the significant levels of uncertainty, and C-suites and boards need to be vigilant in scanning the horizon for emerging issues. Because no one can possibly anticipate everything that lies in the future, organisations must focus on building trust-based, resilient cultures, led by authentic leaders, that can pivot at the speed of change.
In this ninth annual survey, Protiviti and NC State University’s ERM Initiative report on the top risks on the minds of global boards of directors and executives in 2021 and, in a new dimension to this study, over the next 10 years, into 2030. Our respondent group, which includes board members and C-suite executives from around the world, provided their perspectives about the potential impact over the next 12 months and next decade of 36 risk issues across these three dimensions:
- Macroeconomic risks likely to affect their organisation’s growth opportunities
- Strategic risks the organisation faces that may affect the validity of its strategy for pursuing growth opportunities
- Operational risks that might affect key operations of the organisation in executing its strategy
“The healthcare industry has been forever transformed by its fight against the largest pandemic in over a century. The changes the industry has undergone at such a breathless pace have permanently altered the provision of care as we know it. Telehealth, remote patient monitoring and access to virtual services (e.g., chronic disease management, mental health maintenance) are here to stay. The future success of healthcare providers hinges both on bringing patients back for in-person services and on providing a comprehensive, coordinated virtual programme that inspires loyalty and improves convenience. Looking forward, industry leaders are steeling themselves for the next set of expected challenges — a growing need for employees with skill sets new to the industry, dramatic shifts both in applicable regulations and in the enforcement thereof, disruptive technological innovations, growing data privacy threats, and new competition from nontraditional models.”
Richard Williams, Managing Director, Healthcare Industry Leader, Protiviti
Commentary — Healthcare Industry Group
In 2021, nearly all of the top five industry risks listed by healthcare leadership and governance members are new to the top 10. While four of the top five were operational risks last year, there are no operational risks among the top five risks in this year’s list. Two pandemic-related risks now top the healthcare industry’s list. The “impact of regulatory change and scrutiny” is the only risk issue that remains in the top five since last year, although it dropped from the top risk in 2020 to the third risk in 2021. However, “adoption of digital technologies may require new skills” and “economic conditions impacting growth” are both perceived to be riskier in 2021 compared to 2020, jumping into the shortlist from numbers 13 and 15, respectively.
Following is commentary on the 2021 top 10 risks rated by board members and C-suite executives in the healthcare industry.
Healthcare organisations are facing unprecedented challenges because of the COVID-19 pandemic. In order to align organisational emergency management practices with public health emergency guidelines, most healthcare providers will need to create or revise policies for visitors, staff attestation, social distancing and so on; develop risk mitigation processes to address shortages in personal protective equipment (PPE); and bifurcate clinical areas to accommodate both COVID-19 positive and COVID-19 negative patients, to name a few. Organisations should also incorporate COVID-19 infectious disease protocols into their existing emergency preparedness plans to accommodate simultaneous events, in an all-hazards approach. Each organisation will need to ensure its business continuity plans (including department-specific plans) include a focus on public health safety and be prepared to provide adequate staffing to account for labor shortages, the increase in documentation requirements, new Occupational Safety and Health Administration (OSHA) provisions, and the significant reporting obligations for COVID-19 testing and vaccine distribution.
Among the most pressing priorities are vaccine distribution policies and protocols and the associated state and federal reporting requirements. For example, vaccine-related internal documentation must include all adverse drug reporting as well as secondary dosage scheduling, reminders and so on. This area is especially important if the healthcare organisation is distributing vaccine responsibilities to their clinics and pharmacies.
The development of a comprehensive organisational vaccine protocol is critical to meeting the associated regulatory requirements and mitigating legal and regulatory compliance risk in the likely event of future scrutiny by government agencies.
A key risk mitigation strategy is to develop a supply chain resiliency plan. A critical component of the healthcare supply chain is the flow of numerous product types from manufacturer to patient. This requires the participation of various stakeholders who work in concert to achieve the goal of meeting patient care needs. The supply chain implications of simultaneous events such as a hurricane during a pandemic can play a significant role in supply chain operations. These types of simultaneous events can be mitigated through activation of programmes, determination of the language to be included in emergency declarations, public messaging, and more. Vendors for commonly needed products during these events, such as vaccines and PPE, are often limited. In public health emergencies, demand for these products can far exceed production capacity.
Each healthcare organisation should verify that a supply chain resiliency plan that focuses on considerations for providers and patients is in place. The plan should also address manufacturer and distributor roles and key vulnerabilities and include pre-event, response and recovery considerations for the necessary components of the healthcare supply chain.
COVID-19 has dramatically changed the healthcare delivery system and impacted patient behaviors. The increased media attention on healthcare has resulted in more patients taking an active role in their healthcare, seeking online information, having a willingness to participate in clinical trials, and sharing their own health information in response to the need for new treatments and models of care.
At the same time, patients have also deferred elective and preventive treatments and services to avoid exposure to the coronavirus and because of concerns about the cost of care. The traditional healthcare business model, which relies heavily on surgeries, treatments and procedures as profit centers, has been significantly impacted. This leaves organisations with the need to re-examine their pre- and post-COVID-19 models.
During the pandemic, the need for alternative delivery models of care and medical advice has resulted in an exponential surge in the demand for telehealth and virtual services. Despite the difficulties traditionally associated with the rapid adoption of a new paradigm, consumer satisfaction with virtual services is high and health outcomes associated with remote patient monitoring are even better than anticipated. This increase in access to virtual disease management and mental health services is a positive change in care delivery for consumers and will last well beyond the pandemic.
The pandemic has affected healthcare market conditions in other ways and has highlighted the impact that social determinants of health and racial and ethnic disparities in healthcare have on public health. Population health programmes should include the collection and analysis of social data to design programmes and services, such as remote patient monitoring, which will have a positive impact on improving healthy behaviors and outcomes.
The prospect of regulatory change and heightened enforcement has been a key consideration in the identification and mitigation of organisational risk in the healthcare industry for decades. However, this year, perhaps more than ever, regulatory change will drive a shift in the way healthcare is delivered. Additionally, a new presidential administration brings with it a new perspective on healthcare reform, which will almost assuredly result in further policy and regulatory change, with unknown implications.
The fraud opportunities associated with COVID-19 are expected to be a key focus of federal enforcement officials in 2021. Compliance with rules and regulations issued in response to the pandemic, such as those regarding the sale of PPE and federal healthcare payments relating to federal recovery programmes, will remain critically important. While the pandemic may have caused a temporary enforcement slowdown in 2020, we are already seeing an escalation in enforcement actions and recent regulatory changes will likely amplify enforcement trends throughout the year. For example, the Office for Civil Rights (OCR) ramped up privacy and security enforcement actions toward the end of 2020 for both small- and large-scale healthcare organisations. We expect this activity to remain steady with a continued focus on OCR’s new Patient Right of Access Initiative as the industry heads toward the goal of coordinated care and the comment period comes to a close on newly proposed HIPAA Privacy Rules. Further, recent regulatory changes such as those to the Stark Law and the Anti-Kickback Statute, as well as new regulatory initiatives such as the Office of the National Coordinator for Health Information Technology (ONC) Cures Act Final Rule, will bring about additional scrutiny. Moreover, healthcare fraud investigation and prosecution will continue to be a top priority for the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Department of Justice (DOJ), especially with the newly created False Claims Act Working Group. Based on recent regulatory changes and OIG, OCR and DOJ enforcement actions, compliance will remain a top concern, especially in the areas of telemedicine, opioid prescribing, substance abuse treatment facilities, genetic testing, Medicare Advantage Plans, electronic medical record certification, kickbacks and privacy.
Furthermore, President Biden plans to focus his attention on the protection and expansion of the Affordable Care Act (ACA), value-based care, racial health disparities, surprise billing, drug price transparency, and expanding Medicare and Medicaid. These plans for healthcare reform will hopefully reduce costs and create a healthcare system that is less complex for patients to navigate. However, new areas of healthcare compliance risk areas will emerge, and industry participants will need to identify and mitigate these risks.
Many compliance leaders are being asked to do more with less, even as legal and regulatory compliance risks increase. With the significant changes brought about by the pandemic, the changes to come with the new administration, and the OIG, OCR, and DOJ focus on enforcement activities, maintaining effective compliance programmes, and performing timely and thorough risk assessments will continue to gain importance. Compliance programmes should be continually evolving to identify new compliance risks from insights gathered from disparate sources, both internal and external. All efforts mounted to mitigate newly identified risks, including implementation of effective controls, new auditing and monitoring initiatives, and training, should be utilised in order to enable a compliance programme to truly be effective. Because demonstrably effective compliance programmes can identify, detect and correct instances of regulatory noncompliance and because they reduce fines and penalties should things go wrong, their existence has likely never been more important than it is now.
In 2021, the healthcare industry will continue to implement data-informed care in order to predict, manage and enhance healthcare outcomes. This trend will continue to increase the need to use skilled labor resources who can assess business and clinical processes and strategies and design and implement technological solutions effectively. Especially ripe for digital solutions are the areas of population health management, health outcome forecasting, revenue optimisation, and the creation of trended analytics on physicians and departments aimed at identifying who provides the best care value. Critical to enabling this is an organisation’s ability to identify, recruit, develop and retain resources with applicable skill sets. Individuals equipped to help enable these digital technologies are already becoming scarce and the competition for their services is increasing across industries. Furthermore, training up existing employees on some of these advanced technologies, such as artificial intelligence, machine learning, natural language processing and robotic process automation, is neither easy nor quick. Even when the right base skill sets are in place, the ability to know how to use the technology in a way that not only delivers the expected outcomes, but also provides for an appropriate level of controls is not something that develops without some trial and error. Healthcare organisations will have to find new ways to attract the right talent in order to leverage these new digital technologies efficiently and effectively.
Additionally, while it may be possible to find the talent to develop and deliver specific digital solutions, the ability to identify optimal use cases continues to be a struggle for many healthcare organisations. The ideal technological partner in today’s healthcare industry is one that understands which healthcare processes need to be improved and what the desired future state should look like, the scope of what digital technologies can deliver, and how to identify and implement the optimal solution. Organisations that desire to maximise the potential of technological innovations will need resources and partners that can both evaluate which technological solutions best align with the organisation’s strategy and existing IT infrastructure and deploy those solutions with minimal disruption.
The pandemic has had significant impacts on many in-person service businesses that typically employ large numbers of young to middle-aged persons. These impacts include layoffs, unpaid furloughs, bankruptcies and even closures. Increases in unemployment are typically accompanied by a reduction of commercially insured patients and an increase in Medicaid and uninsured patients. Many healthcare organisations are financially stressed both because of fewer encounters in profitable service areas and increased costs — due to staffing shortages (requiring the use of expensive temporary patient care labor), acquisition of PPE and other COVID-19-related supplies, and the reconfiguration of existing treatment space. The financial impact has been compounded by the relatively low payments for COVID-19-related care that, in many cases, includes extended lengths of stay and the use of intensive care unit (ICU) resources. In 2020, the federal government provided significant funding through the Coronavirus Aid, Relief, and Economic Security (CARES) Act and other initiatives. However, there is a high degree of concern that 2021 may see a marked decline in pandemic relief funding.
Many healthcare organisations may find themselves in a position of needing to simultaneously fund purchases of new technology, replenish critical supply inventories, deal with continued labor shortages and pivot to delivering remote/virtual care, all while experiencing the operating margin pressures highlighted above. In addition, this could be compounded by continued delays in patients seeking elective medical procedures due to pandemic concerns or uncertainty of employment and/or insurance coverage. Although many organisations have recently improved liquidity with debt issuances, concerns have been raised around the ability for some organisations to access sufficient additional capital if a prolonged or severe recession develops in 2021.
Cyber threats are still top of mind for the healthcare industry as we saw numerous ransomware attacks targeting healthcare organisations throughout 2020. In October, the Federal Bureau of Investigation (FBI) and the HHS warned of “increased and imminent” cyber threats to hospitals, as attackers continued to increase their focus specifically on healthcare organisations. While the risk of a cyber attack is still a very real threat to healthcare organisations, the other risks the industry is facing as a result of COVID-19 and the new presidential administration have somewhat overshadowed them in this year’s survey. However, the more mergers, acquisitions, partnerships, joint ventures, data sharing platforms and so forth that an organisation undertakes, the harder managing its cyber threats and vulnerabilities becomes. Unfortunately, many “bad guys” know how thinly healthcare resources are stretched right now, and they will continue to target the industry accordingly.
It is not uncommon for healthcare organisations to perform multiple rounds per year of technical security testing on their known environments to keep an eye out for potential areas of weakness that may be targeted. However, even with this practice, there continue to be devastating “zero-day attacks,” in which vulnerabilities were unknown until a successful attack occurred. In the aftermath of these attacks, organisations are forced to scramble to address the exposed weakness, simultaneously attempting to eliminate the vulnerability and determine if it has been previously exploited.
The industry’s leaders understand how complex healthcare’s computing environments are in today’s distributed business models. They are investing in IT security teams and programmes to understand where and how organisations connect to their environments, where those partners host their systems, what tools those partners utilise, and how to effectively respond to new known vulnerabilities. The SolarWinds hack was an unfortunate example of how healthcare organisations need to be thinking about their security exposure. If your organisation relies on a co-located or hosted data center, understanding what systems your partner uses to maintain the network could be key to knowing what your potential exposure is. Further, if an individual system is run as a software as a service (SaaS) model that connects to your trusted environment, do you know how that SaaS solution is structured, where it is hosted, and how it is maintained? It may be difficult for many organisations to fully grasp how the scope of a vulnerability like what we saw with the SolarWinds hack may impact their systems, data, privacy and security. Healthcare organisations need to continue to further their cybersecurity programmes to identify, assess and work to manage risks that keep evolving as the network perimeter continues to dissolve and expand.
As healthcare organisations continue to leverage data to provide advanced and predictive healthcare in an attempt to paint a more complete picture of an individual’s health, more data will be collected not only from the patient, but also from outside data resources, much like today’s data-driven leaders (e.g., Amazon, Microsoft, Apple) do. These activities, coupled with a new administration and new and proposed regulatory changes (e.g., the ONC Cures Act, proposed HIPAA Privacy Rule changes), will create many privacy- and security-related challenges for healthcare organisations. When contemplating the collection of new data sets, many determinations should be made:
- Is this data protected health information (PHI) and therefore governed by HIPAA and other regulations?
- Is this data necessary to provide better care to patients?
- Who should have access to this data and in what manner may it be provided?
- With whom can this data be shared?
- Who owns this data?
- Who is responsible for amending data if discrepancies are noted?
- How does the healthcare organisation ethically use this data to help its financial position?
- What are the correct mechanisms to engage with the patient when the data is pointing to potential health needs or trends that need to be encouraged or changed?
Critical to compliance with the many privacy and security requirements associated with PHI is the accurate identification of patients and all of the additional data related to an individual (e.g., geographic location, estimated income level, credit score, shopping trends). A historical problem in healthcare information management has been the lack of a primary and universal identifier for patients. As a result, many healthcare organisations still deal with duplicate patient records that have to be assessed and cleaned. Bringing in additional data elements can continue to help ensure the integrity of the patient identity, but it can also introduce additional risk and privacy concerns, if not done accurately and securely. While data can drive better care, it is also important to understand that as more data is collected on these patients, the value of the information being created is going to make these data repositories even more enticing for attack, snooping or other misuse. The ability to monitor a user’s activity may need to be improved to identify potential snooping or abuse of access to new data in potentially new environments. Many healthcare organisations have not yet considered the many privacy and information security implications that accompany these more pervasive data repositories, including the operational challenges and overall risk they present. However, keeping patient data safe and secure should continue to remain a priority, and investments may be required to do so.
Healthcare supply chains are complex and multifaceted. They need to accommodate a wide array of items (e.g., devices, medicines, blood, gases) and supply networks. At the same time, they are expected to be agile and low-cost. Over the past year, the pandemic has created a massive demand for key items, compromising the ability of healthcare provider supply chains to obtain and deploy these critical items quickly and cost-effectively. Shortages, uncertainty of supply, the need to find new or alternate sources of supply, and pressure to manage costs have resulted in a sharp increase in the concern and awareness of supply chain risks by healthcare leaders.
Specifically, the pandemic caused an explosion in the demand for medical supplies such as disinfectants, PPE, ventilators, select pharmaceuticals and blood. Prior to the pandemic, these were readily available from the hospital system’s primary (or Tier 1) suppliers. The rate at which COVID-19 spread across the globe quickly led to shortages. Seemingly overnight, healthcare providers found themselves competing with new, nontraditional buyers, leading to product scarcity and price increases. As the scale and magnitude of the pandemic became clearer, both existing and new suppliers invested to retool and refocus in order to fill some of the gaps, leading to ripple effects that threatened the reliability and availability of other supplies.
The supply shortage created an urgent need to find both new sources of supply and alternative products. Supply chain professionals faced tremendous pressure to vet and set up new suppliers as well as to find and acquire substitute products. As we look toward a post-pandemic world, leading hospital systems are rethinking their supply planning and replenishment processes and undertaking initiatives aimed at determining whether their master data management and supplier risk controls are effective. While supply chains have always been understood as critical, the pandemic exposed the significant extent to which they can impact a wide range of hospital operations. In response, healthcare leaders are currently focusing on creating or updating their supply chain resiliency plans to include risk mitigation activities from both manufacturers and distributors.
Even though multiple vaccines have been approved and introduced into the market, the pandemic will continue to impact healthcare supplies well into the immediate future. Looking into 2021, hospital supply chains will likely experience additional pressure as hospital systems reinitiate previously suspended operations. For instance, there will be high demand for deferred and elective surgeries for which hospitals will need to plan properly in order to ensure the appropriate supply.
As the issues and risks highlighted above continue to impact the effectiveness of hospital system supply chains, supply chain managers should evaluate potential initiatives and remedies available, such as:
- Reassessing supply base and, if not currently doing so, implementing supplier performance monitoring
- Requesting that key suppliers and/or major distributors provide their risk mitigation plans
- Building contingency planning into demand forecasting and supply planning to prepare for future supply shocks
- Expanding and creating new relationships with secondary or tertiary (backup) suppliers to offer a faster route to alternate supply channels
- Reanalysing safety stock and replenishment levels for critical supplies and creating or utilising a supply chain resiliency plan to include thresholds in the event of a future pandemic
- Looking to initiate potential alliances with other systems for safety stock storage and price leveraging
The ability to be prepared to mitigate the consequences of unforeseen large-scale events will not only drive future success and viability but will also serve as a strategic advantage in the healthcare industry.
Successfully managing labor costs is not a new concept, especially in the healthcare industry. Healthcare is fundamentally a service industry, one requiring a large complement of highly skilled personnel. The general reimbursement model does not allow for the easy pass-through of increased labor costs, which, absent efficiency gains, leads to compressed operating margins. Healthcare labor shortages have been predicted for the past decade, as the rate of healthcare professionals retiring exceeds the rate of those entering the workforce. Additionally, the need for healthcare workers is growing, as the average life expectancy of the general population has increased by nearly 10 years over the last half century. The impacts of these demographic trends have been compounded during the last year due to the effect COVID-19 has had on the healthcare industry. The historically high censuses at many hospitals, generally, and within their ICUs, specifically, have had and will continue to have both short- and long-term consequences for labor costs.
In the short term, many organisations have offered shift premiums or COVID-19-related enhanced pay, hired contract nurses and physicians, and leveraged high levels of overtime to meet the care demands of the pandemic. These necessary labor solutions result in increased cost over normal/planned operating levels, with reimbursement levels for services often not adjusting to adequately compensate for the increased cost. In addition, a soft cost is being incurred, as the effects of the strain put on front-line workers in the battle against the pandemic (e.g., burnout, turnover, career changes) will likely continue to be felt long after the COVID-19 pandemic is over. The risk of a clinical labor supply shortage is very real, in both the short and long terms. Without adequate planning and action, providers will likely see significant drops in key metrics across the board, from quality to patient and employee satisfaction to operating margins and beyond.
Actions to consider for addressing decreased margins due to labor costs should include increasing telehealth and virtual care options, leveraging technology (including artificial intelligence) to find better clinical pathways and outcomes, optimising scope of practice for clinical providers, analytical analysis to identify under capacity and negative margin service lines, clinical process improvement and re-engineering initiatives, and strengthening relations with medical schools and clinical practice programmes.
In 2020, healthcare providers faced a myriad of challenges born out of the fight against COVID-19. Many of these challenges were met with provider innovation and patient adoption of new healthcare delivery options — telehealth, home healthcare and remote patient monitoring, to name a few. While this demonstrated that most of the industry was capable of making these rapid changes, for many traditional healthcare organisations, there is still a long way to go in order to compete with their new “born digital” competition. These born digital companies are focusing on disrupting the profit centers in the healthcare delivery segment, aiming at converting patients to use their direct-to-consumer products vs. the patient having to traverse the traditional model of engaging with a physician and not knowing what the cost of the service may be and having to wait and see whether their insurance will reimburse or cover the service. While the “Haven” collaboration between Amazon, Berkshire Hathaway and JP Morgan Chase disbanded its operations in February 2021, this does not indicate the threat to traditional healthcare posed by tech-heavy disruptors is abating. Amazon is continuing to identify ways and methods to move into healthcare delivery. It is already running a pharmaceutical distribution solution in Amazon Pharmacy. Moreover, in 2020, Amazon started rolling out a virtual care-based app (which it soon plans to make available to other organisations), allowing its employees to interact with physicians. Even with Haven gone, many other born digital companies are keenly focused on making inroads into healthcare.
In 2021, healthcare provider organisations may be considering how they can reduce budgets in an effort to mitigate losses experienced in 2020. However, this may be done at the cost of reducing technological investments at the very time that the industry continues its march toward a more digital, consumer-focused mindset. Ultimately, reducing budgets without recognising these risks may result in losing patients to consumer-first-minded, born digital competitors.
In order to successfully embrace the opportunities afforded by technological progress, healthcare providers will need leaders who are skilled at driving change and who can ultimately achieve widespread buy-in for cutting-edge initiatives. Those with the ability to educate healthcare employees who have been performing the same processes for decades and to enable them to identify areas of inefficiency will be highly sought-after by the healthcare organisations that wish to effectively implement their consumer-based healthcare strategies.
The “technology debt” that many healthcare organisations continue to accrue to maintain legacy applications, servers and hardware will continue to be a strain on technology resources and budgets that may hamper digital strategies. Those organisations that continue to focus on, develop and deliver on their digital strategies and move away from these legacy systems are apt to be the big winners in healthcare in the years to come.
Overview of Top Risk Issues in 2030
As healthcare executives gaze forward and consider what the top risks in 2030 will look like, new pandemic-related risks fall by the wayside, strategic risks become even more important and having resources with the proper digital technology skills becomes top of mind. Always present for healthcare organisations is the uncertainty of regulatory changes and ensuring privacy and security of healthcare’s most valuable asset, public health information. Rounding out the top five healthcare risks for 2030 are new disruptive innovations and new competitors into the industry. As is becoming more and more common, the unknown of the future is of greatest concern to most executives.