IT Governance Business Case Clinical Management Tool to Support New Crisis Response Teams Community Safety Department
Background As part of the FY2022 budget process, City Council approved the creation of a new Community Safety Department (CSD). CSD has undergone rapid change to best meet City Council’s vision. Intensive learning, planning, and staff growth have led to the anticipated launch of three crisis response pilot programs in the Summer of 2022. A fourth crisis response pilot, co-response, will launch in the Fall of 2022. In the course of their duties, the CSD crisis response teams, led by licensed clinicians, will respond to 911 calls related to behavioral health crises, conduct in-field clinical assessments, provide compassionate therapeutic care to those experiencing crises, develop clinical response plans, follow-up with individuals who experienced crisis, refer individuals to long-term care providers, document their interactions, and provide clinical notes that could be helpful in any further interactions.
Current Business Problem The City does not currently have a tool that can collect and manage the data needed for clinical management. •
CSD needs to manage highly sensitive information regarding incidents related to the health and wellness of the individuals they are serving. This information will be treated like it is subject to HIPAA compliant regulations in addition to other confidentiality and data privacy requirements. The City is not a HIPAA covered entity; therefore the City is going beyond what is required to protect the data.
Current Pain Points •
Currently lack of case management software that provides the ability to track interactions and clinical notes
•
Currently lack the ability to share information between the CSD team and on-site responders to see the histories of people to whom they are responding
•
Currently lack the ability to schedule appointments and followup visits directly from the system to both better assist responders in managing their work and maintaining data integrity as to follow-up and referral activity
•
Unable to Integrate with ESO and CAD with current system to track data across response system
•
Unable to pull reports with variables, including program type and activity, as well as the ability to track repeat clients
Desired Business Value
City of Durham’s Strategic Plan Goal: Creating a Safer Community Together Initiative: Develop and implement Community Safety pilot programs
Implement new clinical management tool that will enable the community safety department to meet the data needs for clinical management.
Future State Benefits The new software will provide: •
Compliance with HIPAA regulations and 42 CFR Part 2 (HIPAA compliance is not required for the City);
•
Ongoing case management, inclusive of the ability to track interactions and clinical notes;
•
Sharing between the CSD team so that responders can see the histories of people to whom they are responding, even if they were not the initial contact;
•
Scheduling appointments and follow-up visits directly from the system to both better assist responders in managing their work and maintaining data integrity as to follow-up and referral activity;
•
Intergrating with ESO and CAD to easily track data across the response systems;
•
Pulling reports by a number of variables, including program type and activity, as well as the ability to track high utilizers and familiar faces;
•
Easy and intuitive navigation.
•
Ability to set permissions so that other first responders could access specific kinds of data that may be useful to them in the field without giving access to all clinical records.
•
Ability to set permissions and access rights to data so that we can share certain kinds of data with other first responders without giving them access to sensitive data protected by HIPAA or 42 CFR Part 2
Analysis and Recommended Solution
Findings from the analysis •
Where will this software be installed? (Server/Local Machines/Accessed through Web Portal) •
•
What endpoints will this software run on? (Do you have specifications of the OS that the endpoint devices require?) •
•
Answer: Julota is accessed only through a web portal.
Answer: Julota is accessed through a web portal and supports all latest versions major modern browsers. Chrome is the recommended browser for laptops and desktops, while only native browsers are supported for Apple devices. Julota’s support for IE11 ends in June 2022. Julota is accessible on all devices and machines that utilize the latest version of any major modern browser.
What connectivity method does the software use to connect to the cloud? •
Answer: Julota utilizes any internet connection available, whether over 4G, 5G, Wi-Fi, or ethernet.
Findings from the analysis continued •
What is the broadband requirement for this connection? (4G,5G, Wi-Fi, etc.) •
•
Answer: Although there is no minimum bandwidth required, it is recommended to be on 4G, 5G, or have an internet connection with at least 1.5mb up/down.
What type of network/firewall settings will this software need in order to run? •
Answer: Since Julota is available via the internet, no network or firewall settings are required. However, it is highly recommended to whitelist the following domains and email addresses as to not delay application use, messages, and/or notifications from the system to its Users. • • •
•
What support do you provide for this software? •
•
https://reach-training.julota.com https://reach.julota.com @julota.com
Answer: Julota’s standard SLA provides access to a Help Desk, Critical Hotline, and email channel.
What is the update schedule? (How frequently) (What time) ? •
Answer: Julota has a daily maintenance schedule between 10 pm and 3 am, where updates can be provided using zero-downtime deployment processes.
Findings from the analysis continued •
Where does the data that is collected with the software stored? •
•
Do you backup the data for recovering and resiliency? •
•
Answer: All data is backed up nightly for 30 days and monthly for 72 months. Additional extensions to the retention policy can be granted up to 120 months.
What is the cost of storing the data? •
•
Answer: All data is backed up nightly for 30 days and monthly for 72 months. Additional extensions to the retention policy can be granted up to 120 months. Additionally, Julota uses a WAL technology to provide up to the second backups in case of complete database master and slave failures.
How long is the data from the software stored? •
•
Answer: All data collected is stored directly on AWS and backed up in AWS S3.
Answer: The cost of data storage is included in the SaaS license fee.
Are you collecting Data that would be considered HIPAA/CFR 42 Part 2 compliant data? •
Answer: Yes. Julota operates on minimum security and compliance that satisfies HIPAA/HITECH. However the City of Durham is not a HIPAA covered entity and is not required to meet the HIPAA compliance standard.
Findings from the analysis continued •
What is the upgrade cycle for this software? •
•
How are these upgrades performed? •
•
Answer: Upgrades with low risk and complexity happen during the maintenance schedule, outside of peak hours. Upgrades with higher risk and complexity happen during the maintenance schedule over a weekend.
What will TS be expected to do for the upgrades? •
•
Answer: Upgrades happen quarterly. All upgrades that impact workflows or require enduser training go through a Training environment for at least 2 weeks before being released to production to provide time for User review, feedback, and training.
Answer: TS will not be needed for any standard upgrades. In the event TS is needed, Julota will reach out directly and discuss an upgrade path. This is extremely uncommon.
Will the upgrade require new devices to run the software? •
Answer: Since Julota is not installed on a machine or device, Julota upgrades do not require device upgrades to continue to operate Julota. From time to time, it may be required to update the native or modern browser being used to continue using Julota, as security is at upmost importance.
Findings from the analysis continued •
What is the security framework or standard used to protect the data? •
•
Have you ever integrated with the City’s CentralSquare CAD software? •
•
Answer: Julota utilizes HITECH CSF as part of our primary data protection strategy. Additionally, Julota operates solely on AWS and may inherit some security frameworks. Please refer to AWS directly for a list of frameworks in use. https://aws.amazon.com/compliance/programs/
Answer: Julota has not integrated with CentralSquare CAD to date.
Is the integration one-directional or bidirectional to the CAD system in order for the data sharing to work according to the architecture of the system? •
Answer: Julota supports one-directional and bidirectional interfacing with CAD, however, often the highest immediate value is a one-directional interface from CAD to Julota, depending on your specific workflows and CAD involvement.
Findings from the analysis continued •
What specific data are you transferring from ESO? •
•
What endpoints does the software run on? •
•
Answer: Julota receives all information from each ESO incident. By default, only portions of this data is actually kept and made accessible within Julota. Generally, the data received from ESO is: incident data, scene data, persons data, crew member information, vital signs, transportation information, medications provided, CAD data if CAD is run through ESO, forms completed, signatures provided, HDE outcomes (HDE is an ESO offering), narrative data, and Referrals. However, all information ESO collects during an incident is delivered to Julota for each incident, but data that isn’t intended to be imported is neglected and not imported.
Answer: There are two primary endpoints, in regards to Julota operating via the web, which are: https://reach-training.julota.com and https://reach.julota.com
Is a VPN required for the sharing of data? •
Answer: Yes, however, if the method is file transport, a VPN is not required as SFTP would be sufficient.
Findings from the analysis continued •
Is encryption required for the sharing and storing of data? •
•
Answer: Yes. In order to remain compliant, all data must be encrypted in transit and at rest if on the Julota system. Julota manages this the at-rest encryption. Depending on the method of transfer of data, certain protocols will be required to be used and must be secure, such as SFTP being supported while FTP is not supported. When connecting to Julota via a browser, Julota does not support connections outside of SSL and TLS 1.2+. Data itself does not need to be encrypted prior to being sent to Julota, however the connection must be encrypted.
Are API utilized to exchange data? •
Answer: Julota does not require the use of APIs. In the event of the use of APIs, Julota will connect over secure protocols to send or retrieve information. Depending on the type of connection, a VPN would be required.
Findings from the analysis continued •
What is the overall structure of this system integration with CAD, ESO •
CAD Answer: If the integration with CAD is a direct file exchange over SFTP, a file per CAD event or batch file of many CAD events would be delivered directly to Julota’s SFTP servers (or fetched if desired) and imported into the system. In the event of a direct connection, Julota would directly connect to the database and pull the agreed upon information per CAD event into Julota on an agreed upon interval. Julota recommends direct connections to be restricted to replicated/slave servers.
•
ESO Answer: The interface between ESO and Julota is one-directional where each incident is received via SFTP. The process of setting up an ESO to Julota interface is as follows: •
City contacts their primary ESO contact and requests the Julota interface. ESO will provide a contract addendum to City for signing. • Once the ESO contract is amended, ESO will contact Julota and security keys will be passed. ESO and Julota will then turn on the interfaces. • Julota will request from ESO a backfilling of incidents from the prior 2 years. This process normally takes 1-2 weeks. • Julota will then work with our primary contact to discuss which data elements to import (if they differ from the default set) via the interface and what criteria to use for creating Referrals between ESO and Julota, allowing the crew to directly refer to Julota without leaving ESO’s applications.
Findings from the analysis continued •
Is ESO required to implement? Currently the City does not have an ESO system in production? •
•
Is this software aligned to NIST Standards? •
•
Answer: Yes. Julota is aligned with NIST SP 800-53.
Are all backups of this software immutable to ransomware? •
•
Answer: No, it is not required to have an ESO interface to implement Julota. It is recommended to interface with as many systems as possible to reduce the need of duplicate entry, provide a longitudinal record, and increase data integrity. However, Julota can be implemented without interfaces if desired.
Answer: Yes. Julota utilizes AWS S3 with versioning enabled, very restricted access controls, and follows a Write-Once-Read-Many model. The processes of backup delivery and retrieval are fully automated and do not allow manual intervention.
In the event of a cyberattack, do you have a recovery plan? •
Answer: Yes. Julota has a Disaster Recovery Plan that is partially tested quarterly and fully tested annually.
Findings from the analysis continued •
Who owns the data (City or Julota)? •
•
What backup recovery Data Assurances are in place? •
•
Answer: Julota is responsible for backup and recovery. No involvement from City is necessary.
How is Julota storing the backups? •
•
Answer: Daily backups are created nightly for 30 days and monthly for 72 months. As part of Julota’s DRP strategy, backup recovery (Disaster Recovery) is tested quarterly in efforts of understanding our current state of change control, high availability, fault tolerance, RPO, RTO, and overall risk mitigation plan.
Who is responsible for restoring the backups of this software (City or Julota)? •
•
Answer: The contract owner owns all data outright.
Answer: All backups are stored on AWS S3 across at least 2 availability zones, both East and West. All backups are encrypted with rotating keys.
Can we configure how frequently backups are made? •
Answer: No. Julota does not provide the ability customize the backup strategy outside of the length of time backups are kept.
Findings from the analysis continued •
What tools can we use to backup data? •
•
Is the data for the backups encrypted? •
•
Answer: Yes. All backups are encrypted using AES-256 encryption.
How long is the data stored? •
•
Answer: Julota is responsible for all backups and the backup strategy. Julota does provide a way for Administrators to download data extractions for manual backups by the City.
Answer: All data is stored for 72 months. Additional time can be requested for up to 120 months.
How much storage is given initially? •
Answer: Julota does not keep track of storage. All storage costs are covered in the standard SaaS license fees.
Findings from the analysis continued •
Using your past experience working with other municipalities what is the average implementation and setup time (in hours/for the first year) for this software to be setup by none IT departments? (Please include the time spent training individual users, setting up accounts per individual, transferring existing data into the software)? •
•
Answer: Total average estimated time for non-IT departments is 15-20 hours over 10-12 weeks, which covers bi-weekly meetings, training, and account(s) setup. This can be less or more depending on how prepared the non-IT departments are for the implementation.
Please also provide the amount of time expected to be needed to maintain the software in subsequent years on average, following the first year setup? •
Answer: It should be expected to spend 5-10 hours per 12 months on additional discussions directly with Julota regarding modifications and enhancements (post-implementation) to support the growth of the programs themselves.
Findings from the analysis continued •
Using your past experience working with other municipalities, what is the average time it will take from an IT department (in hours/for the first year) to ensure the software is setup and correctly running within the City’s infrastructure? (Please include the time spent setting up the connection to the City’s CAD, ESO, and other required connections/infrastructure for the software to run)? •
•
Answer: With no interfaces required for MVP (initial launch), IT should expect less than 5 hours dedicated to conversations with or about Julota. With CAD as an interface, IT should expect 10-15 hours dedicated to technical discussions, connection setup, and/or file generation and delivery to support the interface. The Julota and ESO interface does not require IT assistance outside of any contracting necessary.
In your past experience working with other municipalities what was the time frame for setting up the software to run, with Cities that did not currently have ESO? •
Answer: The difference between implementing with or without ESO is minimal.
Findings from the analysis continued •
Community Safety department has validated the functionality of the Julota software
•
Technology Solutions has validated the integration, data-flows, performance and the cybersecurity capabilities, of the Julota software.
•
The business processes for the Community Safety department are currently in development but will be created prior to deployment in order to take advantage of the capabilities of the Julota software.
•
Is the Community Safety department required to be HIPAA compliant? •
The Community Safety department is not one of the four covered entities requiring HIPAA compliance. 1.
Healthcare Providers
2.
Health Plans
3.
Healthcare Clearinghouses
4.
Business Associates
Findings from the analysis continued •
HIPAA Regulations permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes. 1.
When required by law
2.
Public health activities
3.
Victims of abuse or neglect or domestic violence
4.
Health oversight activities
5.
Judicial and administrative proceedings
6.
Law enforcement
7.
Functions (such as identification) concerning deceased persons
8.
Cadaveric organ, eye, or tissue donation
9.
Research, under certain conditions
10.
To prevent or lessen a serious threat to health or safety
11. 12.
Essential government functions Workers compensation
Data Flow Capabilities Diagram Near Real Time Dispatching Data Flow From CAD to Julota City of Durham - Julota Data Flow Diagram Julota Software Hub
Fire RMS Community Safety Users Replicated CAD database
Police RMS
Durham CAD
Near RealTime Dispatch and Incident Data
Data Flow Capabilities Diagram Post-Incident Data Flow From Fire New RMS to Julota (Needs to be Built and Tested before production) City of Durham - Julota Data Flow Diagram Julota Software Hub
Fire New RMS
Durham EMS
Incident Data Delivered PostIncident
Community Safety Users
Data Reporting
Data Flow Capabilities Diagram Near Real Time Dispatching Data Flow From CAD to Julota City of Durham - Julota Data Flow Diagram Julota Software Hub
Community Safety Users Replicated CAD database
Durham CAD
Near RealTime Dispatch and Incident Data
Data Flow Capabilities Diagram Post-Incident Data Flow to and from Julota (Needs to be Built and Tested before production) City of Durham - Julota Data Flow Diagram Julota Software Hub
Durham EMS
Incident Data Delivered PostIncident
Community Safety Users
Data Reporting
Solutions Reviewed to solve problem Only one solution was reviewed by Technology Solutions to solve this problem. Julota was the requested tool based on the Community Safety Department’s earlier research. Based on their benchmarking to determine other municipalities that used the Julota as a tool to solve similar business problems. Benchmarked References: •
Douglas County's Mental Health Initiative (DCMHI)
•
Colorado Springs CARES (CARES)
Recommended Solution: Julota Description
Julota is a Cloud-based software as a service platform that integrates with other data sources, enables community resources to share information around clients, case management, data population of longitudinal records, and utilization of alerts and notifications.
Pros
• The Julota platform can be customized to match CSD workflows and program strategies at no additional cost. • Aligned with same system that Community Paramedics will use (who will be key partners of our unarmed responders). This will allow for seamless collaboration and data sharing. • Migration of existing program data, from each existing program, into the Julota platform is included at no additional cost.
Cons
• N/A
Financials Estimate: Julota COST ESTIMATES Description
FUNDING Annual Run Costs (Hours)/ KTLO
Year 1 Costs (Hours)
Departmental Funding Amount:
$68,400
Labor $ (Hours) Internal TS:
75 hours
9 hours
Business Analysis
20 hours
0 hours
TS Services
15 hours
9 hours
Project One Time Costs
$33,300
TS PMO
40 Hours
0 hours
Project Run Cost (External)
$35,100
4,728hours
4,680 hours
$33,300
$0
Internal Department: Community Safety (12 FTE’s Participating) Professional Services Implementation: $18,000 Support Service: $4,800 PM Consultant: $10,500
Non-Labor $ Hardware: Software: Other:
$0
$0
$35,100
$35,100
$0
$0
Funding Requested (Y/N):
N
Total Project Funding for Year 1 *Total Project Funding Requested for Year 1
$68,400
Recurring Cost
$35,100
Recurring Cost Requested for Subsequent Years
*Total Project Funding Requested (External), includes External Year 1 Run Costs and Non-Labor
$0
$0
Timeline for Implementation Project implementation time after contract execution is 10-12 weeks per Julota. Business Case completed and presented to the IT Governance Steering Committee for approval
MAY
Contract to procure Julota tool to be submitted into OnBase
Alpha & Beta Testing is performed on Julota
Service contract for Julota is executed
JUN
JUL
AUG
SEP
OCT
Julota tool goes in production Julota project kick-off
Risk Identification Description of Risk
Risk Impact
Mitigated (Y/N)
Contingency(Y/N)
Poor execution
High
Yes
No
Project team turnover
High
No
Yes
Vendor performance
High
Yes
No
Cyber Security
Low
Yes
No
Mitigation Risk (Costs) •
No cost.
Contingency Risk (Costs) •
No cost
Our Ask
We are asking the IT Governance Steering Committee to approve the business case for the Clinical Management Tool to Support the New Crisis Response Teams. The Community Safety department has the funding for one-time and recurring cost.