Information Resource Management Plan

Transcription

1 Healthy & Safe Oregonians: Health and Human Services Agencies Information Resource Management Plan Healthy, Safe Oregonians IRM Page 1 of 34

2 Table of Contents About This Document Introduction Strategic Information Management Framework Drivers Aligning Strategy, Priorities, and Plans Guiding principles Information Resource Management Goals IT Management Vision Enterprise IT Overview IT Environment Maturing the IT Organization IT Workforce IT Budget IT Governance Enterprise Architecture IT Infrastructure Cyber Security and Privacy Major IT Projects Underway Centralized Abuse Management Integrated Eligibility Provider Time Capture Learning Center to ilearn Migration Behavioral Health Integration Health IT Portfolio Oregon Eligibility (ONE) Phase 2: Enhancements Medical Marijuana Expansion Medicaid Electronic Document Management System Medicaid MMIS Hardware Refresh Transformed Medicaid Statistical Information System HIV Electronic CAREAssist Tracking Home Visiting Effectiveness in Oregon Healthy, Safe Oregonians IRM Page 2 of 34

3 3.10 Major IT Projects Recently Completed Oregon Eligibility (ONE) Phase Women, Infants and Children Electronic Benefits Transfer Medical Marijuana Compliance MMIS ICD10 Conversion MMIS COMPASS MMIS Disaster Recovery Home Visiting Data System Proof of Concept Major IT Projects Being Proposed MMIS Modularization Planning WIC TWIST MMIS SSN Removal Initiative Strategic Goals and Objectives Mapping Projects to Strategic Goals and Drivers Appendix Healthy, Safe Oregonians IRM Page 3 of 34

4 ABOUT THIS DOCUMENT This Information Resource Management plan [IRM] is intended to help realize the vision of the Governor and the State CIO for the future of technology in state agencies. It represents part of the State CIO s statutory obligation to ensure the implementation of the Enterprise Information Resource Management Strategy. This plan describes the current state of the information and technology environment in the health and human services agencies including current resource levels and projects, the information and technology governance environment at the agencies, significant challenges and opportunities, and plans for the future of information and technology management. This plan also identifies significant drivers of future policy-area IT strategy, as summarized in the diagram below. The drivers are described in more detail in Section 2.1. Governor s vision Enterprise IRM strategy Agency strategic plans Policy-area IRM plan External mandates Agency IT plans Changing technology Since this is the first-ever policy area IRM the bulk of this document reflects existing plans and the current state of operations in the policy area, mapping existing work to agency and enterprise objectives. The goal of this document in the larger strategic framework is to solidify a foundation for ongoing deeper and more aspirational strategic planning in coming years. The agencies included in this IRM make up one half of the Healthy, Safe Oregonians Focus Area Team created by Governor Brown in The other half of this team is made up of the public safety agencies, for which OSCIO has created a separate IRM. Oregon s health and human services agencies work in a large and very complex environment. Information technology is critical to delivering on the missions of the agencies, and is in itself an abstract and complex domain. This document aims to help the reader navigate the connections between IT and the larger environment, to clarify and improve how the largest and most important IT-related decisions are made, and to improve understanding of the impacts of these decisions on the lives of Oregonians. Healthy, Safe Oregonians IRM Page 4 of 34

5 1 INTRODUCTION The State Chief Information Officer [OSCIO] has an obligation under law to maintain an enterprise-level information resource management strategy [EIRMS]. Guidance from participants in the various enterprise governance efforts directly influence the nature and content of the strategy. While law requires at least a biennial update of the strategy, in practice strategy deployment is dynamic reflecting an ever-deeper understanding and refinement of the path forward. In 2016 Governor Brown formed four Focus Area Teams, representing strategic groupings of agencies by policy areas. The work of the Focus Area Teams is to refine, implement, and monitor the Governor s strategic plan. Governor Brown s Vision Statement Oregonians succeed in vibrant communities that offer opportunities for all individuals to engage their full potential. A thriving Oregon is resilient and sustains the well-being of current and future generations. Healthy, Safe Oregonians The Healthy, Safe Oregonians policy area is a new creation that will serve to foster critical alignment between groups of agencies that frequently address deeply intertwined issues, such as mental health and addiction, from very different perspectives. The potential benefits of an integrated approach are enormous, and leadership at all the included agencies have been collaborating for many years. Yet because the formal structure is new, it has not yet resulted in a depth of joint planning appropriate to support a unified IRM plan. This document stands with its companion document, the IRM for Public Safety, only for the present it is anticipated that future iterations will reflect progress in joint planning and alignment across both groups of agencies. Health and Human Services Agencies Oregon Health Authority Department of Human Services Commission for the Blind Psychiatric Security Review Board Long Term Care Ombudsman Patient Safety Commission Board of Chiropractic Examiners Board of Licensed Social Workers Board of Licensed Professional Counselors and Therapists Board of Psychologist Examiners Board of Dentistry Board of Massage Therapists Medical Board Board of Medical Imaging Mortuary and Cemetery Board Board of Naturopathic Medicine Board of Nursing Board of Pharmacy Occupational Therapy Licensing Board Board of Optometry Physical Therapist Licensing Board Board of Examiners for Speech-Language Pathology and Audiology Veterinary Medical Examining Board Healthy, Safe Oregonians IRM Page 5 of 34

6 By far the largest two health and human services agencies are the Department of Human Services [DHS] and the Oregon Health Authority [OHA]. The two agencies are served by a shared IT department (the Office of Information Services) and a single Chief Information Officer. The policy area also includes four agencies that are too small to have dedicated IT staff (Oregon Commission for the Blind, Psychiatric Security Review Board, Oregon Patient Safety Commission, and Long Term Care Ombudsman) as well as 17 professional licensing boards. To understand the scale, it is helpful to note that the operating budget and size of the largest of these 21 small agencies is about 0.1% of that of DHS or OHA. Yet each performs work essential to the wellbeing of Oregonians and must not be neglected. Because of the modest scale and tactical nature of their IT investment these 21 agencies are referenced in this document only as information or questions of particular relevance arise. Only two have dedicated IT staff (the Medical Board and the Board of Nursing, with three IT positions each). The Commission for the Blind has relatively unique and mission-centric IT needs and is also referenced as appropriate. Perhaps the most important IT-related issue regarding these 21 agencies is the issue of cyber security, the strategic concern that led to Governor Brown s recent Executive Order Unifying Cyber Security in Oregon, and that may also lead to related legislative action. Information risk is not necessarily lower at small agencies and may be as high as, or even higher, than at larger ones. This question is further addressed in section 3.8 below. Healthy, Safe Oregonians IRM Page 6 of 34

7 2 STRATEGIC INFORMATION MANAGEMENT FRAMEWORK 2.1 DRIVERS Governor Brown s draft Strategic Initiatives for the Healthy, Safe Oregonians policy area: Ensure that every Oregonian who needs alcohol and drug treatment or mental health services can easily get it. Ensure all Oregonians have equitable and appropriate access to affordable, high quality health care. Keep communities safe through mindful law enforcement and using data and analytics to balance accountability, reformation and treatment in order to reduce recidivism and prevent future victimization. Department of Human Services Priorities 1 : Subgoals are shown (italicized) only when they have a significant technology component. Increase safety and reduce abuse of children and adults. o Implement a single system of adult abuse reporting. Help people live as independently as possible, including securing and maintaining competitive employment. Improve service equity. Build provider infrastructure. Implement integrated eligibility across programs o Begin development of a system supporting integrated eligibility for Medicaid, SNAP, and TANF; o Improve interagency business process integration in areas where we jointly serve clients. Make more efficient and effective use of resources. o More effectively govern shared services, especially IT. Improve program integrity and management of risks. Improve employee engagement. Improve stakeholder engagement. Oregon Health Authority Priorities 2 : Subgoals are shown (italicized) only when they have a significant technology component. Make Oregon Health Plan member experience with Oregon s Medicaid program simpler, easier, more timely and reliable. o Deliver accurate, timely, and reliable data through enrollment and eligibility data systems. o Implement highly functioning technology systems to support eligibility, enrollment, and closures. Create a behavioral health system that works for all Oregonians. 1 From DHS leadership priorities list, 7/18/ From Healthy, Safe Oregonians IRM Page 7 of 34

8 Address inequities, disparities and disproportionate impact to achieve health equity in OHA health systems. o Reduce disparities in OHP enrollment and eligibility determination among Oregon s linguistically diverse populations. Accelerate health system transformation and maximize the value of Oregon s investment. o Enhancing cross system collaboration among health, early learning and housing. o Accelerating value based payments and aligning metrics to reward better health outcomes. o Enhancing health system tools to support and improve care coordination. Advance Oregon s health system transformation through renewal of our 1115 Medicaid Demonstration Waiver. Modernize Oregon s public health system. Address Rising Pharmaceutical Costs. Implement Oregon s retail and medical marijuana laws to protect public health. o Establishing effective registration, compliance, and enforcement for dispensaries, growers, and processors. Maintain a fiscally sustainable budget. Empower and strengthen the skills and capabilities of OHA s employees. Federal Mandates: The Federal Centers for Medicare and Medicaid Services [CMS] oversees the Federal Medicaid program, among others. Because of the substantial budget involved, CMS rules can have significant impacts on the states. At the present time three CMS-related Federal mandates are affecting the IT work of the Health and Human Services agencies: o CMS has announced that it will require managerial and technical independence of quality assurance [QA] vendors on all future IT projects. On future CMS-funded projects agencies will not be able to hold or manage their own QA contracts. The task will naturally fall to the Office of the State CIO [OSCIO] which has the necessary expertise and authority. This is a significant change from historical practice and will require OSCIO and agencies to develop new processes for collaboration. OSCIO is scaling up its capacity to manage quality assurance contracts, and a first experiment is underway with the Integrated Eligibility project. During the period of adaptation and scale-up, projects may experience some impact. o CMS has for at least five years signaled their interest seeing states move to a modular architecture for their Medicaid Management Information Systems [MMISs]. Oregon s MMIS is a very large IT system; the current lifecycle contract value for building, maintaining, and operating it is approximately $350M. It has connections into many programs across DHS, OHA, and other agencies. Oregon s MMIS was implemented and is operated by Hewlett Packard Enterprise [HPE] under a contract that is currently being extended into 2022, which will be its 13 th year of production operation. The system is functioning well, but the modularization direction from CMS, together with the 90% Federal matching funds that they are making available to support modularization, gives Oregon a special and limited opportunity to benefit from planning for and moving to a more modern, modularized structure. Modular IT architecture generally promotes both lower lifecycle costs and improved ability to innovate. For Oregon the most significant wins will follow from the Healthy, Safe Oregonians IRM Page 8 of 34

9 expected increase in agility, since a modular MMIS will be better positioned to support Oregon s innovative and cutting-edge Medicaid program as it strives to deliver cost containment and improved services. This change will require a great deal of careful effort to plan and implement, so it will benefit the state to begin the process as soon as possible. o CMS provides 90% of funding for multiple IT projects beyond MMIS, including for portions of Oregon s current Integrated Eligibility project. A temporary waiver (the OMB A-87 Cost Allocation Exception ) allows CMS to temporarily maximize funding for projects that serve multiple Federal program areas. Oregon s effort to simplify and streamline the application for and administration of benefits across programs and agencies puts the State in position to benefit from this waiver. It has been predicted that for the Integrated Eligibility Project, the full benefit of operating under this exception will save Oregon approximately $40M (relative to what the same work would cost Oregon were the exception not in place). The project must be completed by December 31, 2018 in order to receive this benefit. The Federal Department of Health and Human Services [HHS] rule on Comprehensive Child Welfare Information Systems [CCWIS] went into effect on August 1, The rule governs the next generation of technology to support child welfare programs. Current systems, known as Statewide and Tribal Automated Child Welfare Information Systems [SACWIS or S/TACWIS], are built to outdated standards and requirements. The new rule focuses on modularity, interoperability, reusability, data sharing between programs, lifecycle data management, and data quality. While there is no Federal requirement to transition to CCWIS, HHS has indicated that (after a transition period) Federal match levels may be reduced for states that do not make the transition. Oregon could stand to benefit from the functionality of a new system. Exploring the potential benefits and planning for the likely transition will require a significant investment of time and resources. The Federal Workforce Innovation and Opportunity Act [WIOA] will affect multiple agencies and programs in the state. It includes substantive changes that will affect the DHS Vocational Rehabilitation program and also the Vocational Rehabilitation Program of the Oregon Commission for the Blind, which will in turn demand changes in the technology supporting the programs. Federal mandates around information security, privacy, and accountability are evolving rapidly. Of particular relevance is the Minimum Acceptable Risk Standards for Exchanges (MARS-E). MARS-E provides a single, integrated approach to security and privacy that addresses multiple Federal requirements. Recently released MARS-E 2.0 defines a new harmonized security and privacy framework and introduces a broad new set of privacy control families. In addition to insurance exchanges, compliance is required for eligibility and enrollment systems related to Medicaid including Oregon s ONE system and its successors. The Medicare Access and Children s Health Insurance Program Reauthorization Act of 2015 requires that CMS remove Social Security Numbers from all Medicare cards by April CMS has announced that they will begin using a new Medicare Beneficiary Identifier to replace the Social Security Number on Medicare cards. This will necessitate changes to supporting technology including MMIS. State Mandates: The provisions of Senate Bill 1538, requiring agencies to conduct regular information security assessments and make reports to the Legislative Fiscal Office. Healthy, Safe Oregonians IRM Page 9 of 34

10 Governor Brown s Executive Order unifying cyber security through the remainder of the biennium, and Legislative Concept [LC] 779 which would make the unification permanent. The provisions of Senate Bill 1539, requiring agencies to submit to OSCIO and the Legislative Fiscal Office documentation of cost analysis or feasibility studies regarding the procurement of IT services. The provisions of House Bill 3099, clarifying and broadly strengthening the role of the State CIO and requiring agencies to adapt to new practices. The provisions of House Bill 2375, setting broadly-applicable standards and requirements for procurements, contracts, and contract administration functions. The provisions of Senate Bill 604, requiring OHA to establish and operate an electronic system for managing practitioner credentialing information. The provisions of House Bill 2294, establishing the Oregon Health Information Technology program. Stakeholder Expectations: The longstanding need for a simplified, consolidated application process that Oregonians can use to apply for and obtain State assistance across multiple agencies and program areas. Increasing public demand for mobile access and self-service across all areas of public-government interaction. The demand for public data, collected or stewarded by the State, to be made proactively available, easy to access, and easy to use. The need to improve equity, inclusion, and understanding of all kinds of diversity across all programs and operations in the policy area. As systemic opportunities and challenges, equity and inclusion are best served not by separate projects but by deliberate incorporation into every process and initiative. To that end, the Governor s Focus Area Team on Healthy, Safe Oregonians has adopted an equity and inclusion lens through which each strategic initiative will be examined and assessed. Both DHS and OHA have executive-level positions and substantial resources committed to promoting inclusion and creating equity in the services they deliver and the outcomes they work for. In the realm of technology the objectives of equity and inclusion manifest as modest differences in every project from the Race, Ethnicity, Language and Disability [REAL+D] initiative that informs many projects in OIS to accessibility efforts in public-facing websites. Fiscal Responsibility: The Health and Human Services program areas represent the largest share of the state s all funds budget (43.1% or $29.7B of the 15/17 budget, per LFO 3 ). While a very significant fraction of this represents Federal funds, the general and lottery fund portion is still very large (25.6% of these funds or $4.8B). Oregon s most recent economic forecast by the Office of Economic Analysis (9/1/16) indicates that the state should prepare for some belt-tightening, with risks clearly tilted toward the downside. DHS and OHA have both taken great care to shape their 17/19 agency requested budgets for strategic investments while carefully managing costs. Proposed IT investments are shaped by the same concerns, with a strong focus on making investments intended to deliver the most strategically important outcomes of cost avoidance, cost savings, risk management, and most critical increased benefits to Oregonians. 3 Healthy, Safe Oregonians IRM Page 10 of 34

11 Health System Transformation: Oregon is in the process of making broad changes to the state s health system to achieve the Triple Aim goals of better population health, better patient experience of care, and lower per-capita cost. The many efforts OHA is leading include introduction of the coordinated care model in Medicaid, alternative payment models, patient-centered primary care homes, flexible spending for Medicaid, and community health workers. Transformation efforts guide many investments including IT investments. One example is Oregon s Medicaid Management Information System [MMIS], a very large technology system that is core to operations of the Medicaid program in the state. MMIS represents a large investment the vendor contract alone is worth $350M over 13 years, and does not represent all the costs of MMIS. But this cost pales beside the cost of the medical assistance programs it supports a budgeted $13.6B in the 15/17 biennium alone (per the LFO Legislatively Adopted Budget Detailed Analysis). The primary strategic concern for the state in making decisions about MMIS must therefore be guided not primarily by the cost of the system itself, but by the ability of MMIS to support dramatically larger potential cost savings and improvements in the lives of Oregonians that will flow from the successful transformation of the state s health systems. Another example is the Emergency Department Information Exchange [EDIE], a Web-based technology that enables intra- and inter-emergency department communication, allowing emergency department clinicians to identify patients who visit the emergency room frequently or have complex care needs. Identifying these patients lets the clinicians direct them to the most appropriate setting of care. EDIE alerts hospitals in real time when a patient is visiting the emergency room. A third example of technology supporting health system transformation is PreManage. In complement to EDIE, PreManage is a technology that can send hospital event data for specific patient populations to health plans, coordinated care organizations [CCOs] and provider groups in real time. This notification, made directly to those responsible for patient care, supports timely and informed care coordination, population management and discharge planning. 2.2 ALIGNING STRATEGY, PRIORITIES, AND PLANS This IRM plan reflects existing agency priorities, agency IT plans, the State CIO s Enterprise IRM Strategy, and the Governor s vision. Full alignment of investments with enterprise and policy-area strategies is the goal, and the purpose of this IRM plan is to serve that goal. As the first-ever policy-area IRM plan, this document takes stock of the existing resources and initiatives, maps them against strategic goals, and seeks to clarify alignment in information resource management to support the Governor s strategy as served by the work of the Focus Area Team and to identify areas of strategic alignment of information and technology resources and practices across agencies and with the EIRMS. Every successful organization strives to reliably align its vision, strategy, investments, and actions. The alignment reported here is based on the diligence of many individuals who have worked to serve agency goals and honor priorities. IT efforts can be aligned with objectives at any level; reliable strategic alignment depends in large part on the context within which IT functions. These larger systems include the connected yet independent agencies, the entirety of state government, and the shifting economic, demographic, political, policy, and technical landscapes. The commitment from top leadership in this Healthy, Safe Oregonians IRM Page 11 of 34

12 policy area is clear, but the challenges are substantial. Not least is the dilemma that every organization faces between solving pressing problems and investing for long-term gains. Particularly in the realm of IT, the short-term calculation is a zero-sum game: investing in alignment means absorbing the costs now, though the benefits may be abstract and may not accrue for years. Yet failure to invest compromises long-term success (as Alice noted in Wonderland, the hurrier I go, the behinder I get ). Every agency in this policy area faces overwhelming need with tight resources. It will take sustained and disciplined effort for the agencies to reach the full potential of inter-agency shared IT governance Guiding principles The following principles were created by the State Chief Information Officer. They were crafted to align with the vision of the Enterprise Leadership Team for common goals and outcomes and shared leadership across state government. They are derived from the 2015 EIRMS and abbreviated for inclusion here. Business-driven - Information resource management is focused on achievement of state and agency mission objectives and the overarching operational requirements of government. Oversight, Control, and Transparency Effective oversight and control mechanisms guide investments, deployment and use. Transparency assures fiscally responsible investment management without applying unnecessary procedural burdens or roadblocks. Iterative Progress and Solutions Development of both the designs and actual IT solutions allow us to take advantage of what was learned during development of earlier parts or versions, supporting course corrections when necessary and enabling go or no-go decisions on whether to continue the investment in a project at predefined points of expected delivery. Innovation IT innovations appear routinely, disrupting the best practices for delivering services. Identifying and successfully incorporating these disruptions into the delivery of state services is both a challenge and obligation. Risk Tolerance - Risk tolerance and management too tightly controlled can keep solutions from meeting business needs. Understanding and addressing risk using the full range of options (avoidance, transfer, mitigation, and acceptance) is a key role of governance. Optimization IT solutions which address common business needs and lend themselves to shared services will support optimization by reducing the resources necessary to sustain the resulting systems. Changeability / Adaptability - Develop project plans and solutions that can respond to change or adapt in response to emerging challenges or opportunities as they evolve. Security Foundation - Information security and integrity provides the foundation for optimized government operations, making every agency s contribution to that fabric of trust critical. Due diligence in the realm of information security and integrity is an imperative. Strategic Simplicity - Standardization and elimination of redundancy is used to progressively simplify the information and technology resource base making ever more innovation and optimization possible. A bias to use existing state-owned solutions to meet newly articulated needs ensures maximum leveraging of previous taxpayer investment, organizational value, comprehensive functionality, and strategic capabilities for all stakeholders. Measured Achievement and Value - Ensure achievement and accrued value are incrementally measured and routinely reported as a means to verify and validate achievement and performance. Healthy, Safe Oregonians IRM Page 12 of 34

13 2.3 INFORMATION RESOURCE MANAGEMENT GOALS The Office of Information Services (OIS) is the shared IT department that serves both the Department of Human Services and the Oregon Health Authority. It is the state s largest IT department. The Oregon Health Authority, the Department of Human Services, and OIS collaborated in 2013 to develop a Strategic Technology Plan based on a consolidated list of prioritized business needs. That effort prioritized the following five target outcomes to guide agency IT governance and investment: Provide a Comprehensive View of Clients Provide Trusted Sources for Health & Human Service Data Enable Business Automation Enable Connectivity Anytime, Anywhere, in Multiple Ways Use Dynamic Services Supporting Dynamic Needs 2.4 IT MANAGEMENT VISION OIS uses the following core principles in their approach to IT management: Deliver incremental value. Reduce projects to realistic components that deliver value in relatively quick time frames and promote learning and continuous improvement. Honor business drivers. Make effective use of governance to ensure that IT investments and practices make real contributions in addressing business needs. Invest in infrastructure and address deferred maintenance. Improve the sustainability and reusability of IT by embracing standards and modular approaches, including a technical reference model. Use enterprise architecture to improve technical alignment, reduce duplication, and predict impacts. Choose to buy or transfer systems where possible. Careful consideration of lifecycle cost and risk can reveal the benefits of using existing technologies bought or transferred over creating custom solutions. Existing solutions spread the cost and effort of maintenance with other users, reducing deferred maintenance and uncertainty. The cost of entry may be significant, however, and it is easy to underestimate the importance and scale of adequate business process re-engineering and organizational change management. Custom-built solutions may have higher lifecycle costs but can provide unique value; they should be chosen only when necessary. These principles manifest in multiple ways. OIS was a leader in moving to the State Data Center and works in close collaboration with Enterprise Technology Services. The agencies have been leaders in adopting technologies by transfer and in the thoughtful adoption of cloud-based systems, which offer desirable tradeoffs when appropriately managed. As a shared service, OIS plays a special role in helping DHS and OHA deliver the most benefit to their large shared customer population. Healthy, Safe Oregonians IRM Page 13 of 34

14 3 ENTERPRISE IT OVERVIEW 3.1 IT ENVIRONMENT At the 21 small agencies, boards and commissions included in the Health and Human Services area the IT environment is simple and tactical. 19 of these agencies have no IT staff, two have very small IT departments of three FTE each. The IT environment at these 21 agencies is comprised mostly of desktop support plus support for core business processes using off-the-shelf software or simple home-grown tools like Access databases. They are supported by the DAS Technology Service Center and/or external consultants. The OSCIO Strategic Technology Office offers IT strategy advice to these agencies (at no cost) to help them identify and pursue appropriate solutions to their business challenges. They rarely carry out significant IT projects. The rest of this section is dedicated to an overview of the IT environment at DHS and OHA, where new leadership has set a top-level objective of maturing the IT organization. 3.2 MATURING THE IT ORGANIZATION Mature organizations are able to reliably deliver value because they have well-defined approaches to both business-as-usual and to change. They are efficient at aligning plans, processes, decisions, people, actions, and results 4. Investment in maturing the IT organization will benefit the agencies by: permanently improving the capacity of IT in ways that are unrelated to FTE count; aligning IT efforts more effectively with business needs; improving the organization s ability to learn and adapt; creating a culture of measurement and accountability; more reliably and efficiently achieving desired results. Current IT and business leaders at DHS and OHA are committed to steadily maturing OIS, the shared IT organization both by continuously improving the performance of OIS and also by continuously improving how OIS works with business customers. Key initiatives include: Maturing project management discipline: a Project Management Office has been created and is actively developing standardized and repeatable project management methodology including reporting, project governance, and clarity around roles and responsibilities. Maturing vendor management: a Vendor Management Office is being created to establish standards, templates, and methodology for how OIS uses Requests for Information, Requests for Proposals, and contracts. The Office also oversees vendor-managed solutions. Maturing governance practices: described in detail in section 3.5 below. Implementing the ITIL Service Management framework: including Change Management, Incident Management, and Release Management. 4 Language from the National Institutes of Standards and Technology Baldridge performance excellence program. Healthy, Safe Oregonians IRM Page 14 of 34

15 Improving risk management: an Audit and Risk Management program has been created to manage and track IT audit findings through closure. Standardization of development practices: A standardized Software Development Lifecycle has been introduced. Continuous Improvement: described in more detail just below. Improved communication with the agencies: OIS, through its Business Engagement Services department, is standardizing intake processes and providing customer-service representatives to help agency business partners engage easily and effectively. Continuous Improvement at OIS OIS has adopted an employee-engagement centered management system called the Now System, most commonly known by the name of the company that markets it: Mass Ingenuity. The objective of the Now System is to keep employees so well informed and empowered that they seize every opportunity to make a meaningful contribution to the organization s most important goals, based on a shared understanding of how success is seen and measured. Routine work is optimized using a tool called a Fundamentals Map that maps organization mission, vision, and values to key goals, processes, outcomes, and measures. The leadership team and measure owners use a scorecard based approach to track performance and meet quarterly to review the progress. Rather than simply focusing on status at a point in time, the system notes and rewards progress on meaningful objectives. Employees are empowered to problem-solve, experiment, and take initiative. The OIS Fundamentals Map and three example outcome measures are shown in the Appendix. It is important to note that Outcome Measures change over time in order to support continuous improvement; once sufficient improvement is made in one area, that measure may be replaced with one that brings attention to the next area of opportunity. The measures shown in the appendix include some where past success means that they will soon be replaced by more ambitious measures. 3.3 IT WORKFORCE Because agencies each operate with different mandates, constraints, and practices, comparisons between agencies should be made with significant caution. The figures shown here reveal more about the nature of the work in each agency than they do about the relative strategies or efficiencies of the agencies. Also shown is whether the agency is making use of the State Data Center to provide core computing and networking services. Agency Total FTE* IT FTE** Using State Data Center? Department of Human Services 8,038 Oregon Health Authority 4, Yes Oregon Commission for the Blind 56 0 No Oregon Board of Nursing 48 3 No Oregon Medical Board 39 3 No * Per LFO Legislatively Adopted Budget Detailed Analysis ** Per 2016 OSCIO IT Survey response The total staff count at OIS (as of 7/1/16) is 482 regular staff plus 18 Limited Duration staff. This is greater than the number shown above because it includes non-it staff who support the business of IT, for example accounting and administrative staff. An organization chart is shown in the appendix. Healthy, Safe Oregonians IRM Page 15 of 34

16 OIS executive staff include the CIO and Deputy CIO plus 8 Directors, each leading a functional unit. The largest unit, Solutions Development & Delivery, has almost 200 staff, mostly developers who build and maintain systems. Customer Service and Support, with over 150 staff, manages desktop and mobile device support, Service Desk, infrastructure and problem and incident management, Project Solutions provides project management services to both agencies, provides project reporting services and sets project management standards and practices. This group is made up of 25 regular staff plus 16 limited duration positions, since project managers are often hired with limited-time project funding. Business Operations, with a staff of approximately 40, manages finance, contracts, legislative and training coordination, and IT asset management. Business Engagement Services, with 25 staff, is the home of analysts and customer services representatives who oversee governance and engage with business partners on new initiatives. The newly-formed Vendor Managed Services is a group of 15 staff that manages operations of vendor managed systems. Enterprise Alignment and Design, with 20 staff, provides Enterprise Architecture services, houses the Testing Center of Excellence and provides audit tracking and support. The Information Security and Privacy Office with 17 staff, manages privacy and security for all DHS/OHA information, e-discovery services, risk management and information exchange management. ISPO is described in more detail in section 3.8, below. 3.4 IT BUDGET Agency and IT budgets for the top IT-using agencies are shown in the table below. The IT budget figures do not include project budgets. Department budget (all funds)* IT budget** Department of Human Services $10,203,545,806 Oregon Health Authority $19,466,370,129 $176,548,934 Oregon Commission for the Blind $16,204,789 $351,069 Oregon Board of Nursing $15,265,753 Data not available Oregon Medical Board $11,269,353 $146,202 * Per LFO Legislatively Adopted Budget Detailed Analysis ** Per 2016 OSCIO IT Survey response. Note that this is annual, not biennial. 3.5 IT GOVERNANCE IT governance is the discipline of deciding what IT investments to make in order to optimize the return (in terms of business value) while managing resources and risk. Best practices in IT governance involve close collaboration between IT and business, multiple tiers of governance, and documented structures, processes, and metrics. The goal of governance is to strategically guide and prioritize work, and to monitor and respond to the delivery of promised benefits. Collaboration between IT and business supports decision-making informed by reliable measures of feasibility, cost, risk, and benefit. At their best, governance practices contribute to continuous improvement by supporting organizational learning and development. Healthy, Safe Oregonians IRM Page 16 of 34

17 As part of the work to mature IT at the agencies, efforts are underway to incrementally introduce a comprehensive IT governance model. This overview of the model shows the three-tiered approach: Great progress has been made in the last few years, and more is underway to help the agencies garner the full benefits of mature IT governance. The lower levels of governance focus on prioritization of IT efforts governance in which IT functions as a service provider. Work Prioritization teams are functional in DHS and are being introduced in OHA, beginning with the Health Systems Division. These teams review all work requests and prioritize small efforts for individual systems. Nearly 70% of the envisioned Information Systems Management Committees [ISMCs] are also operational. ISMCs provide strategic guidance and prioritization on larger efforts, based in part on recommendations provided by Work Prioritization Teams. It will take time for the new governance model to fully permeate the cultures of the two agencies, allowing work to be planned and executed in ways that fully align their strategic and tactical needs with the capacity of IT to deliver functionality and the capacity of the business to lead and adapt to change. In particular, Joint Governance is still being developed, with sustained effort from OIS and supported by independent research on best practice. Effective joint governance will powerfully promote strong returns on IT investment. It is not, however, a quick win; it will require deep cultural learning and acceptance that could well take years to fully manifest. Even more benefit can accrue when IT is fully consulted in the role of an advisor on business strategy, taking the IT function from being a servant of the business to being a trusted partner. One measure of commitment to governance at this level is how IT is formally engaged with senior leadership. OIS has a number of formal engagements with DHS and OHA including: Healthy, Safe Oregonians IRM Page 17 of 34

18 The CIO participates in DHS Leadership team (Cabinet) which meets fortnightly. The CIO participates in quarterly DHS/OHA Shared Initiatives meetings. The CIO attends the OHA Leadership team (Cabinet) quarterly to discuss IT. The CIO has been involved by both agency leadership teams in establishing their priorities. The table below shows how agencies characterize their governance engagement and IT strategy: Department Department of Human Services Oregon Health Authority Oregon Commission for the Blind Oregon Board of Nursing Oregon Medical Board State of IT Strategy Formal and Structured Ad hoc Ad hoc Formal and structured Endorsed by Sr. Management? Endorsed by Agency Leadership Endorsed by Agency Leadership Endorsed by Agency Leadership Endorsed by Agency Leadership Aligned with Business? Tightly Tightly Loosely Tightly Per 2016 OSCIO IT Survey response. Full questions, answer options, and working definitions of each answer are listed in the Appendix. 3.6 ENTERPRISE ARCHITECTURE DHS and OHA carry out Enterprise Architecture assessments of solutions and projects to assess their alignment with the agencies mission, vision, values, goals, objectives, strategies and its principles and to avoid duplication of efforts. It accomplishes this by reviewing the various business, information and technology needs, capabilities and also the relation to other initiatives or efforts in the enterprise. Typically, this assessment is carried out as a preparation for the OSCIO Stage Gate process. Included are business architecture assessment, enterprise strategy assessment, information architecture assessment, technical architecture assessment, and enterprise security architecture assessment. Enterprise architecture principles also apply across agencies. For example, one area where there is substantial duplication of effort in this policy area is in the technology that supports licensing of healthrelated practitioners and facilities. Each of the 17 standalone licensing boards in the policy area manages its own technology, though many of the boards have only a handful of staff. Further study may reveal an opportunity to improve efficiency and reduce risk by pursuing common solutions. 3.7 IT INFRASTRUCTURE OIS is the largest IT department in the state. A few facts are presented here to paint a picture of the scale at which the department operates. OIS serves 17,500 state staff and partners at 165 locations, with 17,000 PCs and laptops, 2,100 printers, 5,918 lines of cellular service, and 3,626 managed phones and tablets. The servers operated by OIS handle an average of 800,000 messages per day. On average 155,000 instant messages are sent and Healthy, Safe Oregonians IRM Page 18 of 34

19 70 video conferences occur per day. The service desk averages 8,426 phone calls and opens and average of 13,472 support tickets each month. OIS supports over 300 unique or specialized applications. OIS uses the State Data Center for the vast majority the servers it operates. 3.8 CYBER SECURITY AND PRIVACY Two aspects of security are defined in Oregon Statute: information security and information technology security (also defined in statute as information systems security). Information security is the discipline of protecting information from threats. This protection has the goals of reducing business risk, improving returns on investments, and supporting business continuity. All state agencies are responsible for information security, which they must deliver through establishing appropriate controls on business processes. IT security is a subset of information security. The state s Chief Information Security Officer leads the Enterprise Security Office [ESO] and is responsible for implementing the State Information Security Plan, which outlines requirements for each state agency to follow when creating individual agency security plans. The state s Information Technology Security plan is based on standards created International Organization for Standardization (ISO). Using widely-accepted standards makes it easier to manage IT security across the state and allows agencies to uniformly assess risk and establish appropriate controls. On September 12 th 2016, Governor Brown issued Executive Order Unifying Cyber Security in Oregon. The immediate effect of the order is to place control of agency information security staff and resources at the disposal of the State Chief Information Security Officer, who has signaled that in almost every case staff will be reassigned to existing duties with the addition of such duties as are necessary to achieve the first objective of unification: a statewide information security assessment. Because this effort is so new, the longer term implications of this initiative are not yet clear. It is likely that some attention will be paid to the asymmetric nature of vulnerabilities at small agencies, which could provide benefit to the many small boards and commissions in this group. Agencies in the Healthy People policy area that are included in the first round of work under EO include DHS, OHA, and the Board of Nursing. Work includes internal and external scans as well as in-depth risk assessments. Of all the agencies in the policy area, only DHS/OHA have in-house information security staff. In its current form, the Information Security and Privacy Office [ISPO] is a shared service serving DHS and OHA. ISPO is led by the agencies Chief Information Security Officer [CISO]. ISPO is a division of OIS. The two largest components of ISPO are the Information Security and Privacy teams. The Information Security team is charged with assuring the physical, personnel, and technical protection of the agency s information. This starts when information is received or created by the agency, or an agency program, and continues until the information is stored, disseminated, or destroyed. This is accomplished via a combination of compliance and risk-based approaches. This team focuses on the discovery and assessment of risk and provides consultative support in the mitigation of risks. ISPO is unique with respect to other state agencies in that it is technology agnostic and does not perform operational IT security functions such as identity and access management, firewall administration, or event management. Healthy, Safe Oregonians IRM Page 19 of 34

20 The Privacy team is unique among state agencies due to the myriad varieties of regulated data for which it is responsible. A few examples are: Personally Identifiable Information (PII) Protected Health Information (PHI & ephi) Federal Tax Information (FTI) Criminal Justice Information (CJI) Department Department of Human Services Role-based security implementation* ESO count of breaches Agency count of breaches** Severity of breaches* Oregon Health Authority Low 1 1 Minimal Oregon Commission for the Blind Low 0 0 None Oregon Board of Nursing High 0 0 None Oregon Medical Board Medium 0 0 None * Per 2016 OSCIO IT Survey response. ** Modified IT Survey response, counting method modified to align with ESO standards. The single breach reported here was not technical in nature. A worker in the Vocational Rehabilitation department inadvertently attached a spreadsheet containing the names, addresses, dates of birth, social security numbers, Prime Numbers, and benefit amounts for 1755 individuals to an , which was sent in an unsecure manner to an unintended recipient (a DHS client) at a personal Gmail address. DHS determined that the incident fell within the scope of the Oregon Consumer Identity Theft Prevention Act and committed to notify the clients impacted, the media, and the three credit reporting agencies as required by law. DHS also notified the Social Security Administration and CMS as required under information exchange agreements. The staff member responsible for the incident was coached, reviewed relevant policies and procedures, and completed uniform Privacy and Security Awareness Training. Department Department of Human Services Business Continuity Plan implemented? Disaster Recovery tested? Yes (for major systems) Backup site? Oregon Health Authority Yes* Yes Oregon Commission for the Blind None Never No Oregon Board of Nursing None Never No Oregon Medical Board High < 6 mos. No Per 2016 OSCIO IT Survey response. * Responsibility for agency business continuity planning lies outside of IT. 3.9 MAJOR IT PROJECTS UNDERWAY DHS and OHA maintain a large portfolio of IT projects. The most significant and largest in-flight projects are presented here. Most of these projects are under oversight by OSCIO and the Legislative Fiscal Office. No large IT projects are currently underway at any of the other agencies in the policy area. Healthy, Safe Oregonians IRM Page 20 of 34

21 DHS and OHA have historically prioritized projects through a variety of processes. While each selected project is well justified by its connection to specific drivers, there is not yet a consistent, transparent mechanism for prioritizing projects across the agencies. Best practices in portfolio management prioritize investments based on the consistent consideration of multiple factors including feasibility, risk, expected return, and strategic benefit (measured against a current strategic plan). Such a degree of rigor is one result of mature, high-level IT governance. OIS is actively working towards this goal and has made significant and demonstrable progress, but it will take both time and active leadership by agency executives to achieve. In the project listing below, the most important alignments between specific projects and strategic drivers (as identified by the author, not the agencies) are called out in narrative. A visual mapping of projects against a subset of goals and drivers (again, as identified by the author) is shown in Section Centralized Abuse Management The purpose of this project is to develop and implement a comprehensive multi-program, cross-agency system to capture abuse allegations and investigations from intake and screening through investigation, case closure and referrals, documentation, and to support abuse management oversight and inquiries. This project is essential to the top priority of DHS, to increase safety and reduce abuse of children and adults. The project is currently in the planning phase. A rigorous search led to the identification of a transfer solution from Colorado as an excellent fit, and aggressive efforts are underway to finalize planning and begin implementation Integrated Eligibility Integrated Eligibility [IE] is a major expansion of the ONE eligibility system. Where ONE supports a specific type of income-based eligibility and enrollment for Medicaid (called MAGI, for Modified Adjusted Gross Income), IE adds eligibility and enrollment capabilities for the DHS-operated selfsufficiency programs SNAP (Supplemental Nutrition Assistance Program), TANF (Temporary Assistance for Needy Families), and ERDC (Employment-Related Daycare) as well as support for additional ( non- MAGI ) Medicaid eligibility. By the end of the project, ONE and IE will be merged into a single, inclusive system ( Integrated ONE ). Because the project impacts multiple programs across both DHS and OHA, close collaboration is essential to its success. This project is core to the DHS priority implement integrated eligibility across programs and aligns with multiple other DHS and OHA priorities, including OHA s top priority to make Oregon Health Plan member experience with Oregon s Medicaid program simpler, easier, more timely and reliable. Like ONE, IE is based on the Kentucky system in particular on a later generation of the Kentucky system that included these expansions Provider Time Capture This project brings together three program areas (Intellectual and Developmental Disabilities, Aging and People with Disabilities, and Addictions and Mental Health) in order to streamline processes, gain operational and process efficiencies, and increase program integrity in Medicaid claim processing for Home Care Workers and Personal Support Workers. While the primary driver for this project is compliance with Federal law, the ability to effectively track workers time will significantly improve program integrity. There is also a business need to track travel time and combined work hours across all programs in order to comply with Federal Fair Labor Standards. Healthy, Safe Oregonians IRM Page 21 of 34

22 3.9.4 Learning Center to ilearn Migration This project migrates DHS/OHA web-based learning from the legacy Learning Management System used by the agencies into the enterprise ilearn system managed by the Department of Administrative Services. The migration includes critical historical records of classes, users, courses, instructors, and trainings and support for the business transition. By unifying and thus simplifying the enterprise IT landscape, this project aligns with DHS and OHA priorities to make more efficient and effective use of resources and to maintain a fiscally responsible budget Behavioral Health Integration This project is implementing the final components of the Electronic Health Record system for the Oregon State Hospital. It began in 2006, and replaces the legacy client information systems which were fragmented and disorganized. The new system consists of Netsmart s Avatar product plus additional components for Laboratory Automation, Food and Nutrition Services, Pharmacy Automation, and Automated Medication Dispensing Health IT Portfolio The Health IT Portfolio consists of three initiatives: the Oregon Common Credentialing Program, Provider Directory, and Clinical Quality Metrics Registry. It aligns with multiple OHA priorities, and most notably is essential to the priority of accelerating health system transformation. Credentialing of healthcare providers is the process of establishing their qualifications as licensed professionals and assessing their background and legitimacy. The process can be expensive, burdensome and repetitive. The Common Credentialing Program will streamline credentialing by providing a centralized, web-based repository of verified health care practitioner credentialing information. The statewide Provider Directory will support care coordination, referrals, analytics, quality improvement activities, and health information exchange by providing healthcare organizations and state and local agencies with a comprehensive directory of providers including contact information, health information exchange addresses, and clinic affiliations. The Clinical Quality Metrics Registry will support the collection of data on Clinical Quality Measures for the Medicaid Electronic Health Record (EHR) Incentive Program, which pays incentives to Oregon health care providers who meet the Meaningful Use standards set by CMS. It also collects data to determine CCO performance and associated payment eligibility, and provides CCOs with data to support quality improvement efforts Oregon Eligibility (ONE) Phase 2: Enhancements The ONE system manages eligibility for income-based Medicaid. Phase 1 of this Kentucky transfer system was completed in June 2016, and the system is now operational. Phase 2 of the project is addressing additional needs for enhancements to streamline business and operational processes. As with Phase 1 of the project, this work is essential to OHA s top priority to make Oregon Health Plan member experience with Oregon s Medicaid program simpler, easier, more timely and reliable Medical Marijuana Expansion This project implements additional functionality as a result of the passage of House Bill 3400 and Senate Bill 844, which made changes to Oregon s medical marijuana laws. The project s goal is to assure public health and safety through a program that provides patients with access to a safe medical marijuana product and also tracks and regulates it in compliance with state and federal standards. Healthy, Safe Oregonians IRM Page 22 of 34

23 The key driver for this work is to maintain compliance with Oregon state law Medicaid Electronic Document Management System This project upgrades older software and hardware to integrate with the agency s enterprise document management system. It involves transitioning from Captiva software to Kofax Capture software, which is currently used for all non-medicaid scanning in the agency Medicaid MMIS Hardware Refresh This project replaces end-of-life hardware and database technology to provide necessary growth capability for MMIS, the large core system that underlies all of Oregon s Medicaid technologies and connects with many other systems Transformed Medicaid Statistical Information System This project supports Oregon s ability to broadly expand the collection, analysis, and reporting of Medicaid information to create an integrated view of Medicaid and the Children s Health Insurance Program [CHIP] activities. This supports improved policy and program decision-making as well as improved ability to monitor and predict costs and to detect fraud, waste, and abuse. This project was mandated to meet new CMS requirements HIV Electronic CAREAssist This project will update the technology supporting CAREAssist, Oregon s AIDS drug assistance program, improving usability, supporting automation, and improving compliance Tracking Home Visiting Effectiveness in Oregon This project will deliver an interoperable and scalable home visiting data collection, case management and reporting system. Healthy, Safe Oregonians IRM Page 23 of 34

24 Summary of Major Projects Currently Underway Agency Project Stage (as of Budget* Completion Time Frame 9/29/2016) DHS Centralized Abuse Management 2 Initiation $4.7M Not yet known DHS Integrated Eligibility 4--Execution $162M 2019 Q2 DHS Provider Time Capture 3 Planning $8.2M 2017 Q1 DHS/OHA Learning Center to ilearn Migration 4 Execution $1.07M 2017 Q1 OHA Behavioral Health Integration 4 Execution $25.9M 2017 Q3 OHA Health IT Portfolio 3 Planning $20M 2018 Q4 OHA Oregon Eligibility (ONE) Phase 2: 4 Execution $18.3M 2018 Q2 Enhancements OHA Medical Marijuana Expansion Not stage gate $3.38M 2016 Q4 OHA Medicaid Electronic Document 4 Execution $3.9M 2017 Q2 Management System OHA Medicaid MMIS Hardware Refresh 4 Execution $10.7M 2016 Q4 OHA Transformed Medicaid Statistical Not stage gate $2.4M 2017 Q1 Information System OHA HIV Electronic CAREAssist 2 Initiation $3.5M 2018 Q4 OHA Tracking Home Visiting Effectiveness in Oregon 1 Concept $1.81M 2017 Q2 * Budget figures represent approved complete project budget across all biennia, as at 12/22/ MAJOR IT PROJECTS RECENTLY COMPLETED Oregon Eligibility (ONE) Phase 1 The ONE system manages eligibility for income-based Medicaid and CHIP. Phase 1 of the ONE transfer was completed on schedule in June 2016, and the system is fully operational Women, Infants and Children Electronic Benefits Transfer Implemented a full-service electronic benefit transfer system, replacing old paper vouchers with electronic benefits cards for the distribution of WIC food benefits Medical Marijuana Compliance Enhanced the existing system to meet new requirements under House Bill 3400 and Senate Bill MMIS ICD10 Conversion Updated the MMIS system to use newer and more sophisticated ICD-10 diagnosis codes, per Federal mandate MMIS 5010 Updated MMIS to meet electronic data interchange [EDI] standards and operating rules as required by Federal Health Insurance Portability and Accountability Act and the Patient Protection and Affordable Care Act. Healthy, Safe Oregonians IRM Page 24 of 34

25 COMPASS Replaced Addiction and Mental Health client data systems with new systems that allow for greater accountability and better outcome tracking. It also implemented a new contract management system and allowed behavioral health providers to use an open source electronic health records system MMIS Disaster Recovery Produced a formal disaster recovery plan for Oregon s MMIS, meeting MMIS certification criteria. Implemented and tested an MMIS disaster recovery solution in collaboration with the vendor (HPE) at their Colorado Springs disaster recovery facility Home Visiting Data System Proof of Concept Completed a proof-of-concept system for maternal and child health caseload and referral management, to be used by staff from 3 of the 4 childhood home visiting programs. The eventual solution will allow OHA to monitor partner agency performance and to evaluate programs. Summary of Major Projects Recently Completed Agency Project Cost Completed OHA Oregon Eligibility (ONE) Phase 1 $56.7M 2016 Q2 OHA Women, Infants and Children Electronic $9.27M 2016 Q3 Benefits Transfer OHA Medical Marijuana Compliance $2.05M 2016 Q2 OHA MMIS ICD10 Conversion $6.37M 2016 Q4 OHA MMIS 5010 $14.03M 2015 Q3 OHA COMPASS $5.3M 2015 Q2 OHA MMIS Disaster Recovery $6.46M 2015 Q3 OHA Home Visiting Data System Pilot $1.2M 2015 Q MAJOR IT PROJECTS BEING PROPOSED MMIS Modularization Planning CMS requires that new Medicaid Management Information Systems [MMIS] use a modular architecture in order to receive full Federal funding. This project will begin planning for the transition to a modular replacement for the current MMIS, which is expected to last until at least The work will include assessing modularization strategies in other states, identifying options for Oregon, understanding and clarifying CMS certification requirements, and beginning procurement activities for modular components. This project addresses the Federal driver of CMS promoting MMIS modularization and strategically accelerates and promotes health system transformation. 5 Since the recent settlement with Oracle, agencies are required to evaluate the potential use of free or discounted Oracle products as part of their project planning. In particular, agencies are required to assess the appropriateness, feasibility, benefits, costs and risks of covered Oracle solutions as part of their required alternatives analysis. This process may impact some proposed projects, as well as some that have already been started but have not yet committed to using a particular technology. Healthy, Safe Oregonians IRM Page 25 of 34

26 WIC TWIST This project will update the technology supporting the Special Supplemental Nutrition Program for Women, Infants and Children from its current client-server architecture to one that is web-based MMIS SSN Removal Initiative The Federal Medicare Access and CHIP Reauthorization Act requires that social security numbers be removed from Medicare cards in order to reduce the potential for identity theft. This project will support the transition to the new Medicare Beneficiary Identifier, which must be completed by April Summary of Major Projects being proposed Agency Project Budget Completion Time Frame OHA MMIS Modularization Planning $4.6M Q OHA WIC TWIST $8.5M Q OHA MMIS SSN Removal Initiative $1.5M Q STRATEGIC GOALS AND OBJECTIVES 4.1 MAPPING PROJECTS TO STRATEGIC GOALS AND DRIVERS Agency priorities, strategic goals for IT, and operating principles are described in detail in Section 2. As the first-ever policy area IRM, this document reflects existing plans and the current state of operations. The mapping presented here does not represent the work of the agencies but is rather an attempt by the author to explore and understand, at the level of the policy area, the connection between agency IT efforts, business goals, and drivers. It is presented as an initial offering in support of more inclusive and deeper strategic planning in the years to come. Healthy, Safe Oregonians IRM Page 26 of 34

27 Mapping Projects to Strategic Goals and Drivers Healthy, Safe Oregonians IRM Page 27 of 34

28 APPENDIX The following materials are referenced in the body of the document: The OIS fundamentals map Three example Outcome Measures (among many) tracked by OIS A high-level organization chart of OIS Questions, answers, and working definitions describing the state of agency IT strategy and governance as used in the 2016 OSCIO IT Survey Healthy, Safe Oregonians IRM Page 28 of 34

29 Healthy, Safe Oregonians IRM Page 29 of 34

30 Example Outcome measures tracked as part of OIS Continuous Improvement Efforts The three measures presented here show past improvement up to a snapshot in time. The measures themselves will change over time as OIS performance improves and goals become more ambitious. Process: Deliver Solutions Measure: Timely Response to Customers The OIS Service Desk is the entry point for most support and service requests. Service Desk performance is a foundational measure for OIS. The progress below represents an entire team focusing and driving towards specified targets over 5 successive quarters. ID Measures Definition Red Yellow Green OP5 OP 5.1a OP 5.1b OP 5.1c Deliver Solutions Timely Response to Customers-First Percent of CA Service Desk tickets Contact Resolution resolved on first contact Timely Response to Customers- Time to Resolution Timely Response to Customers- Aging Average time to resolve CA Service Desk Ticket CA Service Desk Open tickets > 30 days Q Q < >60 42% 46% (T=43%) >7 3-7 <3 7 days 8 days (T=7 days) > < tkt 1024 tkt (T=<800 tkt) Q % (T=48%) 5 days (T=<7 days) 359 tkt (T=<800 tkt) Q % (T=53%) 3 days (T=4 days) 468 tkt (T=250 tkt) Q % (T=64%) 2.8 days (T=3 days) 440 tkt (T=250 tkt) Target Met Next Target 65% 2.5 days 250 tkt Process: Manage Operations Measure: Contract Administration Training OIS manages the business of IT including finances, IT procurement, contracts, legislative requests, IT assets and financial reporting. Contract administration was targeted as a key area for improvement; this measure counts the number of managers and contract administrators who have received appropriate training. ID Measures Definition Red Yellow Green Q Q Q Q Q Target Met Next Target SP2 Manage Operations SP 2.3 Contract Administration Percent of managers and/or contract administrators who completed training < >95 33% 60% (T=50%) 74% (T=66%) 90% (T=86%) 94% (T=92%) 96% Outcome: Quality Products & Services Measure: System Uptime Uptime is a key and foundational component of IT service quality, on which higher levels of service can be built. System uptime is tracked for services that OIS is accountable for regardless of who (vendors, other agencies, etc.) provides the service. ID Measures Definition Red Yellow Green Q Q Q Q Q Target Met Next Target O1 OM 2.1a OM 2.1b OM 2.1c Quality Products & Services System Uptime-Network System Uptime- System Uptime-MMIS Percent of time Network is available for our customers (via ETS) Percent of time is available for our customers Percent of time MMIS is available for our customers (contractual) <98 ~15 hr/month <98 ~15 hr/month <99.6 ~3 hr/month ~15hrs -90 min/month ~15hrs - 90 min/month ~3hr/month - ~1hr/month >99.8 ~90 min >99.8 ~90 min 99.9 ~1hr/month Y 99.8% 99.8% (T=99.9%) 100% 97.69% (T=99.9%) 99.9% 99.9% (T=99.9%) 99.8% (T=99.8%) 99.9% (T=99.9%) 99.9% (T=99.9%) 99.9% (T=99.8%) 99.2% (T=99.9%) 99.9% (T=99.9%) 99.87% (T=99.80%) 99.9% (T=99.9%) 99.9% (T=99.9%) 99.8% 99.9% 99.9% Healthy, Safe Oregonians IRM Page 30 of 34

31 Healthy, Safe Oregonians IRM Page 31 of 34