healthsystemCIO podcast interview featuring John Landy, CTO, FinThrive
Discover how AI is transforming revenue cycle management (RCM) in this engaging interview with John Landy, CTO of FinThrive. Landy explores how AI-driven automation is paving the way for streamlined workflows, improved claims processing and denial predictions, all while enhancing financial stability for healthcare organizations. He also highlights the critical role of cybersecurity, stressing the importance of cyber resilience plans to guard against breaches and ensure rapid recovery.
Gain actionable insights on integrating generative AI for automation, consolidating vendor partnerships and leveraging innovative tools to address financial and administrative challenges. Whether your focus is on improving patient experiences, optimizing revenue streams or enhancing operational efficiency, this podcast delivers a forward-thinking perspective on AI’s game-changing impact in healthcare finance. Don't miss this strategic discussion designed to help healthcare leaders stay ahead.
Introduction to FinThrive and Its Role
Welcome to HealthSystem CIO’s Live at HIMSS interview with John Landy, CTO at FinThrive. I'm Anthony Guerra, founder and editor-in-chief. John, thanks for joining me.
Thanks, Anthony. Good to be here.
Alright. Very good, John. You wanna start off by telling me about your organization and your role?
Sure. FinThrive is a leading supplier of revenue cycle management software and services.
We believe in reducing the friction between hospital systems and payers, be it either public payers or private payers. We sell software and services depending on the need and the different use case.
We've been in business for over thirty years through the companies that comprise FinThrive. So we bring a lot of experience from the industry as well as innovation on the software front.
My role as CTO is focused on product development—people writing code, deploying code, and also security that's embedded within our software process, as well as our overall security posture. I also oversee our cloud operations, which covers where we run our systems. We're a big partner of Microsoft, as well as data centers, and I manage any related operations.
Chapter
AI Applications in Revenue Cycle Management
We know that AI has been a big hit on the clinical side. Can you tell me how that's being used in the RCM side?
Yeah. In RCM, for example, at FinThrive, we think about it in three different workstreams for AI. One is how our employees use it, and that is true for any hospital system using Microsoft Copilot. Our developers use GitHub Copilot to co-pair program.
We use it for test generation and security. We also use it to do customer support, for example. So AI is embedded in how our employees perform their daily jobs.
Secondarily, we use it for how we process our customers' information. That might include contract loading—contracts between payers and providers are a big thing that's constantly changing. It’s often in unstructured data, so it needs to be codified, and then we learn from that data to produce better results.
The third area of AI is in our products. We use AI embedded in all of our product capabilities.
We have probably twenty different product features under development now, as well as a number that are in production today. You may not even know that some of these features are driven by AI, but they make your work more productive and deliver the results you need.
Chapter
CIO Engagement and Security Concerns
As far as the CIOs, how deeply engaged do you think they are in the revenue cycle management system and what's going on over there? Are there things that could be improved on that side that they’re maybe not plugged into because they have so many other things on their plate?
Yeah. I think the world has changed since the Change Healthcare cyber event, which was about a year ago. We've gotten a lot of callouts from our customers—primarily hospital systems and healthcare providers—where they want to review our security posture and processes.
Even though they may have been working with us for a number of years, they want to re-review everything and make sure it aligns with how the world has changed.
The other thing is we're in a revolutionary period for IT innovation. So they want to make sure that if we are using AI—and we are heavily—they know we’re doing it ethically, protecting their data, and reviewing how security overlaps with all the features and functionality we’re rolling out.
We’ve seen a dramatic uptake in the last seven months, for sure, and we now offer this as part of a standard offering. We want to engage earlier rather than wait in the buying process. With existing customers, we’re reaching out and baking this into our quarterly reviews as well.
Chapter
Understanding Different Types of AI
Very good. So one of the issues that’s been discussed with people is the different types of AI.
You could call them different things by different names, but I’ve been told traditional AI is more like machine learning—very good for producing specific, concrete answers—as opposed to generative AI, which might give you a slightly different answer every time but is great at summarization.
For example, you could have it summarize a visit. Every word won’t be exactly the same each time, but you may get a great summarization each time. That works for some things and not for others.
And then we have agentic AI, which is really just sort of coming down the pipe.
What are your thoughts about how those may influence the RCM space and which tools are relevant for that type of work?
Yeah. AI has been so overloaded with a number of different buzzwords, but also sub-scientific areas, like natural language processing, OCR scanning, and chatbots as part of LLMs.
To take your three big areas—which I think are a good way to break it down—machine learning has been around for a while. I’ve been doing that personally for quite a bit of time.
That’s more like training on documents, and it takes a really long time to even learn if you have something interesting there. You could think about it like this: we would hire PhDs, work on this for six months at a time, and we may or may not get to something that could be used in the product because the model might not work or solve the exact problem.
That’s traditionally what we called AI until LLMs, schema, and generative AI took off.
This is something FinThrive has been working on for a number of years. We have features in our products today that use ML, and we have a team dedicated to it. We have scientific researchers developing new models, and we still think that’s important. For example, we’re developing a prior auth rule engine model using Azure ML to make our prior auth product more effective.
Chapter
Generative AI and Its Use Cases
The second area is generative AI, which really took off. Everyone is aware of the story with the compute power that NVIDIA’s GPUs and cloud systems provide today. Generative AI, like OpenAI’s LLMs, can generate, edit, and structure content. It recognizes content, performs pattern matching, and is really useful for generating anything related to language.
For example, appeals letter generation is a great use case for it.
It’s also great for interpreting chatbots. We have a chatbot for our analytics engine that allows you to write in natural language, and it recognizes that and turns it into code that is executed and run.
We also use it heavily internally. Big areas include Microsoft Copilot and GitHub Copilot, which our developers use to generate code more effectively.
Generative AI is huge. It’s all driven by LLMs, and integrating our own content with public LLMs is where the big value lies. The importance of this whole generative AI world is security and ethical use, which is a big focus for us.
The third area is agentic AI. As you mentioned, it’s really hot in 2025. We’re heavily investing in it.
We see a great use case in agentic AI, which packages the capabilities of LLMs, workflow, and RPA into one small agent of work. It’s responsive to inputs and outputs, combining workflow with LLM processing power and, if needed, RPA.
For example, we’re working on automated denial appeals creation. An agent could handle a denial, analyze how it relates to previous denials, create an appeal package using generative AI, and resubmit it before any human has to intervene.
This is a great use case we think will differentiate RCM, and we’re currently working on elements of this across all our products.
Chapter
The Future of Agentic AI in Healthcare
Where are we with that in terms of that type of thing becoming an operational reality?
I think 2025 is going to be the year where we see all of this launching with agentic AI. We have use cases live with ML. Generative AI really took off in 2023 and 2024, and now agentic AI is where we’ll see significant progress in 2025.
The tooling vendors, like UiPath, Microsoft, and others, are really focused on that area, so it’s a hot buzzword right now. But as a hospital system CIO, working with your large-scale vendors as well as companies like FinThrive, you should find out what they can do. It can not only improve the patient experience and, hopefully, outcomes but also enhance your internal usage and workforce deployment. There’s a lot of savings we could see across the board with agentic AI.
You know, you always lean into science fiction when you spin this stuff out in your mind, right? I always wind up at the movie The Terminator. That’s where all this stuff always gets me. My head always ends up back in that movie.
As you were talking about an agentic AI tool dealing with something, now we’re talking about interactions between, theoretically, a payer and a health system, right? So you’re talking about something that you received at the health system and some agentic AI doing something with it and responding. Now, there’s no reason not to think that the payer won’t have a tool of their own over there—agentic AI.
I think I read about this happening, and, actually, there are some agents that can recognize when they’re speaking to another agent. Now, I don’t know what they do with that. I don’t know what happens with that. But do you have any thoughts on how this spins out?
Yeah. I do think we’re experimenting with tools such as voice RPA, which does an RPA agent. It’s kind of on the fringe of AI, which will call in to try to find out if there’s insurance coverage. And, yeah, it’s answered by an AI-operated agent on the other side. So you have two RPA agents talking to each other, and I think AI is going to be the same thing.
Most of what we’re seeing in 2025 is going to be assisted AI, so there will be some human intervention or oversight because we’re not ready to set everything free.
But as we evolve, there will have to be standards in place so that there can be machine-to-machine communication, which there is today, by the way. It’s just not AI-driven. But we have machine-to-machine interactions and interoperability. It’s similar to how the stock market works. It’s not human beings making trades.
So there will be more and more intelligence on API and integration as we evolve. And I think as long as it’s in the nature of supporting whatever business it is they’re running, it’s all good. It’s just smarter API integration over time.
So I’ve had this discussion with other people, and they’ve specifically mentioned the stock market as well as an example of something that’s happening without a human in the loop—some of the trading that goes on. There was an incident—I forget which one it was—but it was a market crash.
Yeah. Oh, yeah. It was a programmatic crash.
Programmatic trading, and they couldn’t actually figure out what happened.
Yeah.
It happened, and there was some kind of crash. And I guess it came back—I don’t know how quickly—but they couldn’t figure it out afterward. They were wondering. You don’t know, right?
So, anyway, this discussion takes place on the clinical side too. Certainly, that’s where you hear “human in the loop, human in the loop, human in the loop.”
Yeah.
But I did hear a CIO say on a stage at the ViVE show that that means a limitation in scaling. Anytime you have a human in the loop, people are saying it as a way to give comfort and reassurance, but there is a downside to having a human in the loop.
Certainly, there’s too much risk on the clinical side to not have a human in the loop.
I don’t know about, you know, if things are going to get so interesting, right, and we’re going to learn lessons, if we’re going to get burned, if we’re going to pull back. But I don’t know. Any other thoughts there?
Yeah. No. I think you’re capturing the dilemma that everybody has in rolling this out. And it goes back to the old-fashioned ways.
Make sure you’re picking the right vendors. Review what vendors are doing. Make sure, as vendors, we build things smart and responsibly and don’t take shortcuts.
You know, there are a lot of startups out on the floor that are spinning ideas and have great marketing around them. We have to be sure that we have the ability to audit what happened, the ability to interact with it, and the ability to change and influence it so we can learn from any mistakes.
We need to write software in a way that makes sense and ensures we understand what it’s doing. That can take the form of a lot of different things. It can take the form of an alert to your phone if something strange happens. It can take the form of having log files.
We’ll see a lot of different things evolve so that we have traceability throughout the process. We also have to be smart about targeting pilot solutions, making sure they work, and ensuring we’re not going too fast too soon.
That’s where we, as an industry, have to make sure it makes sense.
Chapter
Challenges in Third-Party Risk Management
Alright. Very good. You mentioned third-party risk. I was in a session yesterday, and the upshot of that was, you know, it was an interesting discussion, but the upshot was this: listen, all this work that health systems are trying to do around third-party risk—which has revolved around questionnaires to a large degree, which I always found absurd.
I would have these discussions, and we would learn that questionnaires were being sent. God knows how much work was going into creating these questionnaires, sending these questionnaires, and then, you know, tracking them and possibly having them updated.
But how much risk was really being managed other than going through the motions and checking a box? I always felt it was probably extremely minimal because you have the entity that wants the business telling you, “Hey, we’re good.” Of course, they’re going to tell you that.
Now, I’m not saying anything against vendors, but the incentives are a little messed up for the self-attestation of, “We’re good. Don’t worry. We’re good. Just buy it.”
So the upshot of the discussion last night was, yeah, we’ve realized this is ridiculous, and we can barely manage our own risk. So instead of focusing so much energy and worry—I guess they’re still going to try and do stuff—but instead of putting all the eggs in this basket, we’re going to focus on resilience and recovery. We’re going to assume.
We’re going to try and work with good companies. But in terms of managing the risk of hundreds of vendors we work with, it’s absurd. What are your thoughts?
Yeah. Well, I think what you’re bringing up is what we’re hearing from customers too. At FinThrive, we have a benefit around providing a platform for RCM. We have a solution for every part of the RCM process, and we feel like we can optimize and reduce a lot of friction and segmentation.
And we get this question all the time: “Well, aren’t we putting all the eggs in one basket versus having multiple vendors?” And I think it’s a good one.
The review process, though, if it’s thorough, can catch a lot of weakest-link issues you may have.
But the other thing is vendors like us are developing not only disaster recovery plans for catastrophic events but also secondary environments that are cyber-resilient. Let’s just say it can never be 100% perfect, but you could be back up and running within five days.
That’s the type of message I think health system CIOs should be asking about. They should ask vendors, “What do we do not only with a disaster? Do you have a disaster recovery plan? Can we co-test with you?”
That will prove that they are failing over and running off their secondary environment, which is a big lapse in most people’s DR testing.
So you can get some of those answers and actually test directly with them. And then, what do you do during a cyber event? Do you have any fallback plans beyond just insurance? Cyber insurance is what a lot of vendors will say, but making sure that vendors are building a secondary environment allows you to have one contractual agreement with a vendor but two distinct avenues—totally separate hardware that can be isolated in the case of a cyber event.
The thing about the audits and the questionnaires not being effective—the number of ransomware attacks in financial services in the last five years is zero. Financial services invest heavily in IT security and reviews, and you never read about it in the newspaper.
In healthcare, in our industry, we read about it once a month, if not more. Unfortunately, we have really valuable data, but we’ve also been underinvested.
So I do think everybody trying to make a case for more investment to be able to do those reviews—either through a third party or independently—will help. And, certainly, even though there is the case that a vendor may answer a questionnaire knowingly in a different way, I think that’s rare.
In most cases, there are gaps and mitigations, and you have to ensure you’re able to live with that as a purchaser. So I think we’ve got to keep that up because it’s not going to go away in the short term until we get some sort of AI agent to do it for us.
But we should provide a lot of oversight on the vendors we’re purchasing from and continue to do so. It has to be a yearly review, if not bi-yearly, and make sure you don’t just do it when you’re purchasing software. You need to review thoroughly throughout the engagement because the technology is constantly changing—and so are the threats.
Chapter
The Importance of Continuous Vendor Oversight
Right. Very good. But one of the points made last night was—and there may be different issues at play here—one of the points made in the session yesterday was that Change Healthcare would have passed every check.
Any and every check you could have put on them from a cybersecurity point of view, they probably would have passed because—
Well, they would have failed one big one. They didn’t have multi-factor authentication to their secure systems.
Okay.
So let’s play with that idea. Would they have communicated that in a questionnaire?
Yeah.
Yes.
I think they would have, and I think they would have had a mitigation plan, but they would have had to.
You’re telling me that nobody sent a questionnaire to Change Healthcare in the two years running up to this incident where the response was, “Hey, we don’t have MFA over here”?
I think people accepted it.
I guarantee—
So you think there was an honest response, and the health system allowed it?
It wasn’t high enough on the radar.
Yeah. I do not think it’s the case that a vendor would knowingly falsify responses. It’s more the case that the business wants to purchase the software and forces IT to accept the risk.
Almost every vendor has some sort of nuanced answer to a questionnaire, but that’s the importance of investing in your security team and knowing when to make those business decisions.
There will be gaps in solutions, for sure, and you have to know the mitigations are there and what you’re going to do in the case of a ransomware or cybersecurity event because it could happen.
So I don’t think vendors knowingly falsify, but I do think IT gets forced to approve it from the business.
Sure.
Well, can you imagine if a CIO said to the business, “Hey, we can’t use Change Healthcare because they don’t have MFA on the server”? They would have said, “Every health system in the country uses this. What are you talking about? You found something no one else has?” And no one would have believed you.
Yeah.
Right?
Well, maybe no one—I mean, the business of that one healthcare system.
The CEO looking at this—not that the CEO would be the person this would bubble up to—but somebody who was alerted to this on the business side, I can’t imagine they would have said, “You know what? You’re right.” They would have said, “Everybody uses this.”
Yeah.
I agree. But that doesn’t stop us. Just because everybody crosses the street when there’s not a walk sign doesn’t mean you should.
That’s what I tell my students.
Yeah. Right?
But, you know, the chance that someone is going to cross a street with a “Do Not Cross” sign increases 70% if other people are walking ahead of them.
In other words, we follow the lead of whatever is there.
So I do think you’re right in that that’s the case, but there are two big things. You can’t be afraid to do your own review.
Alright.
And if you’re not equipped to do it, use a third party to do reviews because it’s on the health systems.
You know? It’s your responsibility and accountability to do that.
The other thing is Change was kind of unique because they had proprietary connections to payers that limited us from getting access to them. So the industry needs to have more redundancy.
Yeah.
That’s true for the stock exchange, like we learned years ago. Financial services moved away from point-to-point connections. You need an ecosystem with backups and redundancies.
And we’re hopefully seeing the market move in that direction with respect to claims.
Mhmm.
Well, yesterday, there was a session. I wrote an article about it—it’s not published yet—but the Health Sector Cybersecurity Coordinating Council, Greg Garcia, said they’re working on that. They’re working on mapping the flows of information in the healthcare ecosystem to identify a Change Healthcare-type vulnerability.
But what’s interesting is—and I asked him about this—they’re unsure of the degree to which that’ll be shared with the public because it’s sort of pointing the finger to the bad guys, saying, “Hey, there’s a vulnerability here,” which I get. So they’re talking about possibly sharing it directly with health systems in a sort of quiet, backdoor way, which I guess makes sense, although I want to publish the information.
Yeah.
Yeah. You can’t release vulnerabilities.
But you can release the standards and have a questionnaire that people—Cloud Security Alliance is a good example, where standard questionnaires came in. People should use that. They can tap into security alliances.
And I think in this case, healthcare, those guys will be doing a good job to try to get standards, and that should give us some more insight.
Chapter
Challenges of Prior Authorization in Healthcare
Right. You mentioned prior auth. I just want to go back to that. That’s a huge issue on a number of fronts. The policy front—they’re looking at that.
It’s a real problem for clinicians. It’s a frustration point everywhere.
Now, we understand what it’s all about. The payers are trying to make sure that a procedure or service doesn’t occur that they don’t intend to pay for, because I guess it’s better to address it before than after. But it slows things down.
I guess it can be slow. It’s—it’s—there’s a lot of policy stuff. There’s a lot of politics stuff here. You know, how are payers wired? Are they wired to pay as little as possible, as often as possible? Are they wired to deny first, knowing that many denials will just never be appealed, and that’s better for their bottom line?
So there’s all kinds of stuff here, but I guess we don’t need to get into all that unless you want to. But from a technology point of view or from the point of view of your business and health systems, where are we with prior authorization and making that an easier process for health systems?
Yeah. Yeah. There’s a lot—there’s a lot in there.
Doesn’t work.
Yeah.
Yeah.
You can ignore any part of it.
Yeah. I mean, I can’t speak to the desires of the payers, but I do know that denials are going up to the point that it’s impacting hospital systems or healthcare systems.
Chapter
Leveraging AI for Denial Management
The thing that’s interesting about what we started this conversation on with AI is we have the information on what is getting denied from payers, from different payers, from different providers, and we can create—we have a prior auth product, for example—and we can now create an intelligent prior auth rule system.
Before, it was hard-coded. You wrote it with templates or whatever, but now it can actually be living and change constantly, updated with AI. So we should see denials being addressed better and prior auths happening when they need to more often.
So I think the technology is enabling us to get better at predictive denials and also prior auth-required analysis, and we can continually update. Whereas previously, you had to do it with code, and it took time. You had to re-release it with new rules, and you had to manually configure stuff.
Now we’re writing systems that are adaptive, learning, and AI-driven, and I think they will help hospital systems.
So they should look at their vendors who are providing that and see how it’s adapting over time because I think the technology is there now to help address some of these issues.
We have a denials reduction team, and that’s really what we’re going after in 2025. I’m sure a lot of other vendors are, but we think it’s really important to try to tackle. And our advisory board—our key customers—tells us it’s the number one thing we should go after and try to reduce.
So all of our products are integrating that detail—not only seeing the effect of it on your cash flow but also making sure that you’re addressing it early and trying to get ahead of it. It’s a big area that needs to be addressed, maybe legislatively.
But, you know, as far as that, we can provide the technology that should help.
So when we talked about the ambient listening, one of the issues with ambient listening is the ROI is what you call a soft ROI. It reduces pajama time, reduces physician burnout. People cite the numbers in terms of cost for replacing physicians.
So, you know, it makes sense. It’s hard to argue that it would not help the physicians in their quality of life, but it’s still a soft ROI.
With your work, I mean, this is real hard ROI stuff, right? I mean, it should be an easier sell to get some of this stuff going.
Yeah. I think if you can reduce denials, you can report all that.
There you go.
Right?
It’s not—
Yeah.
I mean, the one challenge I would say we have—and maybe the whole industry has—is it does move.
Like, we may be able to capture onto some denial thing, but that’s constantly going to be changing from the payers too—Uh-huh.
—to your point to start this thing. So that’s why this AI thing is so interesting because we want to see a slowdown, and we want to see it maintained. And then we want to predict how much cash and impact there is so that we get visibility on it.
And then, as we get changes and detect real-time changes—not just from one provider but many providers and different payers—we have to adapt and keep learning. You know?
And that’s why we’re in a good period for healthcare systems in that the technologies that vendors like us and others are using—the cloud capabilities, the public cloud providers—are finally catching up to where we should be able to tackle this problem to get the revenue situation looking a little better.
Chapter
Enhancing Patient Experience Through Technology
So if you look at a couple of the main areas that CIOs are focusing their time on, it’s physician experience to reduce physician burnout.
Obviously, anything related to patient safety. But patient engagement is off the charts too. They want to provide that Amazon-like experience. It’s called, you know, the digital front door. They want it to be like Amazon, Facebook, whatever you want to call it, and be a more pleasant experience. They don’t want patients to have to log in to five different apps.
Yeah.
All these kinds of things. Does what you do bleed into that area in terms of the payment part of it?
Yeah. Yeah. We’re a full platform company, and that does include patient and virtual intake.
So we have systems, including a mobile app, to do that, and we’re connected to payment systems to handle that directly. So we have products that support that.
And the benefit of doing it upfront on the front door is that you can understand exactly what’s going on with prior auth and everything else that’s tapping into our database of data and AI-driven tools and intelligence earlier in the process. So you can do an analysis of a particular contract with a particular payer at the time a patient is checking in versus just having a front-door-only type solution, which may not give you that.
But I do think healthcare systems need to invest in a refresh. I mean, we’ve all been to the hospital or an ambulatory site, and it’s a pretty disconnected experience.
What we’ve been going after is the platform view—a single sign-on platform, portal entries, standard user experience, customer experience, all that.
So that’s where we’re heavily invested.
And I think healthcare systems can find solutions to try to address the front door and back door altogether, for sure.
So, most of the big health systems are Epic-based now.
Are you integrated with Epic? Do you work with Epic so that they get that seamless experience?
Yeah. Yeah. And that depends on the product, but we’re integrated by API. Epic does fire APIs.
We’re integrated across that on the front end. Or we call a lot of API integration. Epic is the front door in some cases.
So, yeah, we’re connected with them. We have a number of customers, and we work with them directly on that. Obviously, they have a huge part of the market.
So, we do. We have a very good integration with them, and we feel like that’s going to be a big driver for that.
Alright. So, just a last question or two.
Chapter
Comparative Complexity of Healthcare Systems
Your best advice—you’re a technologist. So you’ve been in a lot of other industries, right, or a number of other industries.
It’s interesting to get that outside view. You mentioned healthcare needs a refresh. You know, we hear that all the time—ten years behind, whatever number you want to use.
But then the folks in healthcare would argue back to you that it’s complicated. It’s more complicated than other industries, so you can’t—it’s not an apples-to-apples comparison.
You buying any of those excuses? Or what are your thoughts around, you know, having been in other industries about where healthcare is today?
I do
In global tax, if you are working sales tax in the United States, there are 14,000 tax jurisdictions that change constantly.
And depending on whether you have a soda from a bottle or a fountain soda, you get different taxes.
Mhmm.
It’s super complex.
Mhmm.
I was also in benefits enrollment. It’s one of the most complex things that there is. And I was in financial services working with trading, post-trading, post-settlement trading, and all that.
Right.
So I don’t think there’s anything more complex, but I don’t think we’ve given it the investment and priority.
There hasn’t been enough of a voice from the IT side to be able to get—besides what the physicians are using on the EHR—a lot of the other systems have been kind of left behind to their own devices.
And they have antiquated user experiences. They have security risks.
Yeah.
They have a lot of things that CIOs need to step up and say, “What about these over here? This has some of our most important information. Let’s refresh it. We can get some optimizations. We can get more intelligence, and we can get better connected with our front office activity.”
Like, you talk about ambient listening through a user experience. Imagine it then hooking into claims, constructing claims that are going to reduce your denials and be able to get through to the payers.
And we should be thinking about straight-through processing because it’ll benefit the payers too.
So I think over time, we’re going to get there. We’ve just been a little bit behind.
What about the argument that, “Well, we don’t have the money. We don’t have the margins that we have in other industries. So that’s why we’re behind.” Are you buying that?
Well, it is the nonprofit world. Those have more constraints, for sure. And financial services, for example, have a lot of profit in that business.
So I do think there are constraints on that, but the software is cheaper. So you’ve got that.
I don’t know.
You’ve got that. But, no, I do think you have to—and I think that’s working with your vendors to construct an ROI and make a business case.
Because I’ve seen—we’ve seen—the ROI just on using, like, insurance discovery. There are vendors that have one insurance discovery solution but are only finding maybe 50% of what they could find if they stacked up a secondary and a tertiary solution.
They should be looking for multiple vendors. They can do lots of things to increase their revenue that allows—this is what we say just in software, being a CIO myself—if you can save money in other places, then you can feed it back into the revenue-generating businesses.
So I think you can find the money if you were to look at it holistically.
Mhmm.
I think insurance discovery is a great one to look at because that’s just money on the table. You know, you can scoop that up and make money finding insurance coverage.
And then, secondarily, working with the vendors to make sure a real ROI is constructed, rather than, you know, kind of piecemealing and people just thinking that they’re doing the latest thing. You know?
You’ve got to refresh what you’re looking at. It doesn’t hurt to go to RFP, get an analysis of what’s out on the market now, see where you are, and then, you know, nothing needs to be done. Nothing needs to be done. We should get the business case together for the next year if that’s the case.
Chapter
Best Practices for Vendor Management
Alright. Last question. Your best piece of advice for CIOs at big health systems.
You know, from your angle and the things that you do, the angle you have on the industry, what would you say, like, “Hey, guys,” or, “Hey, guys and gals, don’t forget about this,” or, “This is changing,” or, “You may not have looked at this in a while—take another look.” Just some high-level kind of your best piece of advice if you were giving a little private consulting.
Yeah. I would personally reevaluate all my vendors and do an in-depth security review.
Okay.
Because I think not just doing the RFP security questionnaire and all that—actually do a meeting and learn what they’re about. Ask them to come on-site if they have to. Actually learn what they’re doing and make sure you combine with the CTO and the leaders of the vendor organization.
Because, number one, the vendor should be willing to do it when you’re a key customer. And, number two, you want to get that peace of mind to be able to sleep at night, you know, which is more, like we said, more than just a questionnaire. You want to find out what they’re doing, where they’re investing, and where they’re going, and it has to be real. And when you have real face-to-face meetings, you know, that becomes sort of, like, more believable.
But does it make sense to say if you have 800 vendors, you can’t do them all? So maybe figure out your top 20, 30, 40 most critical vendors and do what you said with them.
Yeah. Yeah. We had somebody speak at our—that is a CIO at a large healthcare system. I won’t name them, but he went from 130 vendors to about 18 over the course of two years.
So vendor consolidation should be a really important thing that people have to tackle because if you have 800, it’s the weakest link. There’s going to be something in there you don’t know about, and that’s going to kill you.
It’s unmanageable.
Right?
Got it. You’ve got to get it down to a reasonable set of vendors. You know? Make sure you’re thoughtful about how you consolidate.
And now you have vendors who can take on the risk to be a better partner to you. You get more influence in the roadmap. You know? It makes a lot more sense than being spread out all over the place.
Yeah. It was the chief innovation officer speaking last night who said that the one offset is vulnerability because, as you said, if you’re reducing your vendor family, you’re going to need each one of those to do multiple things.
Oh, yeah.
Right. And it’s a heavy, heavy cost. We have a slide in our presentation that talks about our investment in security, and our CEO is very security-conscious.
Our board is. I am. Everybody on our team is. And we invest heavily—8% of our revenue kind of thing.
So—
Yeah.
How can every single startup vendor that you have—or any—well, a lot are not startups in this space. A lot have just been, you know, not taken care of.
Chapter
The Importance of Continuous Security Investment
They’re not investing. And it’s constant. You cannot reduce your security budget, you know, kind of thing. You have to constantly invest and make sure it’s part of your development process, and it’s a constant—it’s a real burden.
But at the same time, that’s what you have to do because there’s a cost to doing business.
Yeah.
Alright, John. I want to thank you so much for your time today. That was wonderful. I really appreciate it.
Thanks, Anthony. Great being here.