McKesson on cloud, identity and the digital transformation of healthcare

Profile picture for user Michelle Swan By Michelle Swan April 7, 2019
Summary:
US healthcare giant McKesson is moving to the cloud and digital as fast as it can - that means big changes in how it handles data security and identity

healthcare technology
Nearly every company in the world is talking about digital transformation but few are going digital on the scale of McKesson – a 186-year-old Fortune 6 company that touches nearly every aspect of healthcare.

Describing McKesson as a large and complex company doesn’t really do it justice. It is the oldest and largest healthcare company in the US with $200+ billion in annual revenue, operations in more than sixteen countries and 78,000 employees around the world. While it may not be a household name, McKesson makes, ships or moves one out of every three drugs in North America. These are pretty impressive statistics and they reflect a very successful business, but that scale and complexity create big challenges for an IT department trying to keep pace with the change happening in the technology and healthcare landscape.

I had the opportunity to sit down with McKesson’s SVP and CTO Andy Zitney and CISO Spencer Mott at last week’s Oktane conference in San Francisco to talk about what keeps them up at night.

We discussed technology’s impact on how healthcare is delivered, the rising expectations of patients when it comes to their data and experience, and the pressure this puts on businesses. We also discussed how McKesson is adapting its technology strategy to create a more cohesive patient experience across its different brands, and how it is modernizing its technology stack to make this strategy a reality. Not surprisingly, cloud, security and identity were at the heart of all this.

McKesson’s shift to the cloud

Like many large enterprises, McKesson is now taking a cloud-first strategy.

This isn’t new for companies – even large ones. According to Okta’s recently released Digital Enterprise Report the appetite for cloud technology continues to increase at some of the largest companies in the world. The research, which targeted IT decision makers from companies with more than $1 billion in revenue, indicates that three-quarters of these large companies already use cloud applications and 65% of them expect the number of clouds they run on to increase this year. Nearly 50% of respondents are already using between 10-50 cloud apps, and 10% are using over 100 apps.

McKesson is taking a more measured approach than some companies but moving fast. Zitney estimates 80% of McKesson’s systems are still on-premise, stitched together with a federated architecture. His goal to modernize McKesson’s entire technology stack over the next 5 years with a much smaller on-premise footprint and public cloud technologies at the front end.

We only signed a five year lease on our data centers so it’s not a slow migration.

McKesson is planning to replace dozens of different apps with a set of around a half dozen strategic cloud partners. Okta sits in the middle as its central identity management system. Like any company pursuing a hybrid and/or multi-cloud strategy, finding a secure way to manage identity across systems was one of the first steps the team took.

Zitney points to system availability, lower costs and getting IT out of the business of running data centers as some of the main drivers behind McKesson’s move to the cloud. He wants to focus the company’s valuable development resources on creating differentiation and revenue-generating apps, not on “shaving the yak” doing routine tasks, as he so eloquently put it in a recent speech to developers.

The move to the cloud will also bring flexibility for this highly acquisitive company.

Most of the companies we acquire are already cloud-enabled. While we might need to do some refactoring and the architectures might not be exactly aligned, the cloud mindset coming into the company is a great thing for us.

Most importantly, the move will also help tie together the user experience for McKesson’s many customers and patients. According to CISO Mott:

The way healthcare is being delivered has completely changed. Patients have multiple devices and they expect a better experience from providers and payers. They don’t want barriers and that experience lends more to the cloud.

Pursuing a patient centric view

Putting more emphasis on the user experience is becoming more important to McKesson as it moves further into retail and supports more customer-facing businesses like the US Oncology Network of more than 450 independent, community-based oncology practices. When describing the importance of the patient experience in McKesson’s B2C initiatives, Mott puts it like this:

For patients dealing with cancer, that is a tough enough situation to be in. They don’t need yet another barrier. To fill out another form. Or not get timely information. Or get bad communication about how their treatment is going. We want to take away the friction and help the patient through the experience...Or if they’re healthy, to keep them healthy.

One of the barriers to creating that frictionless patient experience is not having a consolidated view of the patient data.

Right now it feels like you’re dealing with different companies. We want it to feel like you’re working with one company no matter where you came into the process.

According to Zitney and Mott the ability to bring together data in a secure way, with the patient at the center, can unlock incredible value. Drug manufacturers can better understand the effectiveness or adverse effects of drugs. Doctors can get a better, more accurate view of patient history before they even see a patient. Providers can get more insights into patients to offer better preventative services. And if you get really sophisticated, you can even drive down healthcare costs.

The only way to make this happen is through better identity management and a ‘zero trust’ security mindset that is more focused on the endpoint than the network. Says Mott:

Zero trust is quite a radically different model. We are embedding security throughout the lifecycle, moving energy away from managing vulnerabilities to securing code in the first place.

McKesson is putting tools and processes in place that move security responsibility all the way down to the developer, forcing them to write better code at the outset rather than catching it at the end or patching it. Having a common identity across its different systems (on-premise, cloud), different devices and different parts of the patient lifecycle is also key, making Okta an important part of McKesson’s overall digitalization journey.

However, Zitney and Mott are both clear that there are no easy solutions and it’s more than just a technology issue. Says Mott:

There are so many complexities when it comes to data rights, and we have to be very conscious of that. But it would be criminal to ignore the fact that we have the data in these systems and not try to unlock insights within that data to bring value to patients.

My take

Cloud has clearly crossed the chasm. There should be no question about whether the model is ready for prime time when a huge, highly regulated company that was born in 1833 – a time when lawnmowers were considered emerging technology – is pushing hard on cloud adoption.

As someone who lives in Silicon Valley and who covers emerging technology, I was a little surprised that two-thirds of the respondents in Okta’s Digital Enterprise Report said their “cloud end state” was to only run half their apps in the cloud. When you consider how much innovation and speed the cloud can bring to companies undergoing transition I would’ve expected more apps moving there. However, after talking with Zitney and Mott about the complexity of McKesson’s business and how entrenched legacy technology and mindsets are inside a company like theirs, I have greater empathy for their journey.

As for the patient journey, identity is going to play a bigger and bigger role in the evolution of healthcare. For years the different factions of the healthcare industry could work in their own silo. But shifting consumer expectations and the rising costs of healthcare – especially in aging societies like the US – are going to force these factions to work together going forward.

The technology is getting there to make it possible, but as McKesson explained, it’s more than a technology issue. The bigger issues of how identity is handled, who owns the data, and how to protect this sensitive data are going to take center stage, and vendors in this space are going to have to play a bigger and more responsible role in the debate.

[Updated April 10th with minor corrections to McKesson's Fortune ranking, Zitney's job title, cloud app consolidation numbers and the link to the US Oncology Network.]