Buyers Guide to cloud computing
Infrastructure as a service is fast becoming ubiquitous and for the most part commoditized. Organizations can buy cloud-based computing, storage and networking services from myriad vendors today. Even the healthcare industry, typically slower to adopt new technology, has joined the cloud bandwagon.
The most recent HIMSS Analytics Cloud Survey, in fact, found that 83 percent of IT healthcare organizations are currently using some form of cloud services.
Despite this rush to the cloud, healthcare decision makers must keep in mind they can’t just tap into anybody’s offering. A cloud-based solution that is purpose-built for the regulatory and privacy demands of healthcare and life sciences requires more than compute, storage and networking services.
Healthcare IT News looks at the leading vendors and their cloud offerings with an eye on what matters most to healthcare organizations — including security and compliance, of course.
Learn more about cloud computing services on the market today:
Watson Health Cloud can mask patient identities while allowing for information to be shared and combined for an aggregated view of clinical research and social health data.
HIPAA Compliance: IBM's Cloud is HIPAA-ready, and the company can sign the appropriate BAAs as needed.
Pricing: Varies with service. Provides service level availability commitments, backup and disaster recovery for the full cloud stack.
IBM's Watson Health Cloud delivers a set of services that are used by applications for wellness, care management, population health, oncology and clinical trial matching, as well as a cognitive discovery advisor for life sciences along with storage and an appdev component. The Cloud is the foundation upon which all SaaS applications are built.
"Users of the Watson Health Cloud have the option to build new solutions that meet their specific needs," said IBM Watson Health Vice President Cory Wiegert.
Consumers of the Watson Health Cloud not only store their data in the cloud but also have access to the appropriate subset taken from a data pool of approximately 300 million patient lives. The Watson Health Cloud can mask patient identities while allowing for information to be shared and combined for an aggregated view of clinical research and social health data.
The Watson Health Cloud allows users to apply the advanced analytics of Watson - from predictive analytics to similarity analytics, natural language processing and deep Q&A - to find patterns in the data that can inform healthcare decision making. "The Watson Health Cloud offers one of the largest non-governmental health data sets in the world, including clinical data, research studies, IoT data from wearables and digital medical devices, genomics and more. So that data pool offers population-level insights that are incredibly valuable to healthcare organizations in an era of value-based care," Wiegert said.
A key takeaway is that up until now different research organizations felt the need to keep their data siloed not only for competitive reasons but also because of the lack of sophisticated security controls. Designed to leverage the IBM SoftLayer infrastructure, the Health Cloud uses industry standard protocols to interoperate across different cloud platforms.
This open cloud invites and encourages healthcare and life science organizations to not only aggregate their data but, when appropriate permissions and data-use rights are granted and managed, also to combine data from other healthcare organizations. Of course, the originator of the data must consent to the usage rights, which then IBM ensures are enforced at all times, according to an IBM spokesperson.
Certainly, the massive compute power of Watson and its ability to handle, combine and then interpret massive amounts of complex health data, from medical image data to genomic sequencing, is IBM's strong suit.
IBM's Cloud is HIPAA-ready, and the company can sign the appropriate BAAs as needed.
"We are managing to more than HIPAA standards," Wiegert added. "We are managing to the appropriate data privacy and security standards mandated by the countries in which we operate."
Amazon provides developers and IT teams scalable cloud storage.
HIPAA Compliance: AWS follows a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the security, control and administrative processes required under HIPAA.
Pricing: AWS operates a pay-as-you-go model for over 60 cloud services.
Amazon, under the name AWS (Amazon Web Services), does a lot. In 2015, AWS launched 722 new services, up 40 percent year-over-year.
"We don't plan to stop there," said Steve Halliwell, director of healthcare and life sciences at Amazon Web Services. "Customers benefit from this continual evolution, innovation and iteration because they get the newest and latest features or enhancements instantly."
In contrast to IBM, Amazon cautions customers against trying to architect applications to work across multiple clouds simultaneously or interchangeably. In fact, AWS calls a multi-cloud environment "a headache."
According to Halliwell, every cloud provider has made a unique set of decisions and tradeoffs to arrive at its specific set of services, and it is a tremendous feat of engineering to account for the differences and have an application work well across all platforms.
Customers considering a multi-cloud strategy to obtain operational redundancy can architect a multi-region deployment on AWS. The geographic separation and utility-grid isolation-design of AWS's availability zones provide an extremely available infrastructure without the headache of designing for multi-cloud, Halliwell claimed.
AWS follows a standards-based risk management program to ensure that the HIPAA-eligible services specifically support the security, control and administrative processes required under HIPAA. Using these services to store and process PHI allows customers and AWS to address the HIPAA requirements applicable to its utility-based operating model.
Amazon offers nine HIPAA-eligible AWS services today, including the DynamoDB NoSQL database, Amazon Elastic Block Store, which provides persistent block level storage volumes, and Amazon Elastic Compute Cloud, a web service with resizable computing capacity in the cloud.
Other HIPAA compliant services include Amazon Elastic MapReduce, which provides a managed Hadoop framework to distribute and process a large amount of data across EC2. Amazon Elastic Load Balancer, meanwhile, distributes incoming applications traffic across multiple Amazon EC2 instances in the cloud, providing a greater level of fault tolerance, according to Halliwell.
Amazon Glacier is a storage service for data archiving and long-term backups, while Amazon Relational Database Service, is deployed to set up, operate and scale a relational database in the cloud, and Amazon Redshift offers a fully managed petabytes-scale data warehouse.
The widely known Amazon Simple Storage Service - Amazon S3 - provides developers and IT teams scalable cloud storage.
Google Cloud Platform is hosted on worldwide data centers with Google App Engine on web and mobile back ends, Docker using container cluster manager, platform resources with load balancing in Cloud CDN and Genomics to store, process, explore and share large and complex genomic data sets.
HIPAA Compliance: The Google Cloud Platform supports HIPAA-covered customers with a BAA comprising Compute Engine, Cloud Storage, Cloud SQL, Genomics and Big Query.
Pricing: A combination of sustained use discounting and per-minute billing are offered without usage commitments, prepayment requirements or price lock-in offers.
Google, whose name derives from a googol, a mathematician's name for the number 1 followed by 100 zeros, lives up to its namesake by offering an unprecedented number of cloud services.
"Our cloud platform is built to address the common needs of any business or organization that wants to take advantage of cloud computing," said Joe Corkery, senior product manager for healthcare and life sciences, Google Cloud Platform. Here are just a sampling of Google's cloud services:
Google Compute Engine runs its workloads on virtual machines hosted within Google's worldwide data centers. The compute offerings include Google App Engine, both for Web and mobile back ends. Google Container Engine runs Docker containers using Google's open source container cluster manager, Kubernetes, a platform for deployment, scaling, and operations of containerized applications.
Storage and databases can be run on Google Cloud Bigtable and Cloud Datastore, a NoSQL database for storing non-relational data, while Cloud SQL stores and manages data using a relational MYSQL database. Also, the Cloud Virtual Network allows healthcare organizations to manage their cloud platform resources with load balancing, Cloud CDN -- content delivery network - and a cloud domain name system.
BigQuery engine is a data warehouse for large-scale data analytics that can work in conjunction with Cloud Datalab for data exploration, analysis and visualization.
Genomic research is probably among the biggest healthcare stories to come out of the Google Cloud Platform. According to Corkery, Google Genomics is "one of the major reasons why Google Cloud Platform appeals to the life science community." Google Genomics is a solution created for researchers who depend on cloud computing to handle the scale of their data from petabytes to exabytes. It stores, processes, explores and shares large and complex genomic data sets.
"Through our extensions to Google Cloud Platform, customers can apply the same technologies that power Google Search and Maps," Corkery said.
Another unique cloud offering from Google is its machine learning capabilities. TensorFlow is an open-source computational library that can be run across any CPU or operating system using a single API. While TensorFlow is Google's open source library, Google offers cloud machine learning products too. Google's Cloud Machine Learning APIs allow any developers to build machine learning into their applications, and it offers a fully managed machine learning platform that is integrated with other Google Cloud Platform products.
The Google Cloud Platform supports HIPAA-covered customers with a BAA comprising Compute Engine, Cloud Storage, Cloud SQL, Genomics and Big Query.
"Using a cloud service provider doesn't necessarily mean that a company no longer needs an IT staff," Corkery explained. "Rather, operational teams will focus less on traditional IT tasks and more on addressing business requirements and supporting applications."
CDW and its partners offer the rapid deployment of applications in a user-friendly dashboard, integrating information across multiple environments.
HIPAA Compliance: Brokers and recommends various HIPAA compliant clouds in CDW's data center or through preferred partner channel.
Pricing: Not available
Illinois-based CDW offers SaaS, IaaS, applications and services that span more than 200 products with 30 different categories of the cloud. Options include office productivity, communication and collaboration, and long-term archive, backup and disaster recovery.
With its focus on healthcare, CDW promises the healthcare community the ability for rapid deployment of applications in a single-pane view-management console integrating information across multiple environments and presenting it on a user-friendly dashboard.
CDW Cloud client executive Sandra Yu said CDW understands that HIPAA compliance is a must have for healthcare organizations.
"As such, CDW Healthcare helps to broker and recommend various HIPAA compliant clouds to our healthcare customers whether it is in CDW's datacenter or through our preferred partner channel," Yu said.
Yu, like most of the other executives interviewed for this Buyers Guide, said that cloud solutions are not an IT panacea that necessarily gives personnel more time and less pressure to handle day-to-day challenges.
"That is a common misconception and not accurate. It is a hybrid world that demands a cultural shift, which can be difficult for IT," Yu said. "When you move to a cloud, tools are different, and there are new dynamics to concentrate on, security and bandwidth for example. You might be relieved in one area, but you have to take on new concerns."
Microsoft OSA program provides an operational security baseline across all major cloud services, helping ensure key risks are consistently mitigated.
HIPAA Compliance: Many of Microsoft cloud services are HIPAA-compliant and covered by the business associate agreement the company signs.
Pricing: Based on usage and takes into account a blend of on-premises and cloud usage.
The Redmond-based giant takes a layered approach to building more secure technology that it calls the Security Development Lifecycle. One might say SDL bakes security within the cake recipe rather than the using security as the icing on the top.
"SDL implements strong security measures that safeguard data from hackers and unauthorized access with the latest state-of-the-art technology, process and certifications," said Neil Jordan, GM of Health Worldwide at Microsoft.
Complementary to the SDL is the Operational Security Assurance program. The Microsoft OSA program provides an operational security baseline across all major cloud services, helping ensure key risks are consistently mitigated.
In addition to SDL and OSA, Microsoft works with the tech ecosystem to help better protect and secure healthcare organizations. The company currently invests more than $1 billion in security research and development per year and has created a dedicated group of worldwide security experts, the Microsoft Enterprise Cybersecurity Group, to deliver solutions, expertise and services for customers. And it opened a cyber defense operations center that works 24/7.
Jordan said the conversation around security, in-house versus in the cloud, has been flipped, explaining that in the past CISOs wondered if cloud security could be equal to what one could do in-house. Now it is the cloud that offers levels of security unattainable by behind-the-firewall systems.
"Whatever a typical security manager has to deal with in other industries it is four to five times greater in healthcare. The technology has moved," said Jordan, pointing out that a massively cross-platform security infrastructure is now a requirement, one that can be delivered faster, more efficiently and typically at less cost in a cloud.
Power BI is a Microsoft Azure analytics service that offers users a non-tech dashboard to design and view interactive reports. Users can combine internal data from EMRs with external data from trustworthy open data sources. Using visualization tools, the healthcare organization can gain insights into trends and patterns in healthcare it did not know existed.
"One of the biggest IT headaches has been how to get insight from the data we are collecting," Jordan said.
Beyond security and advanced analytics, Microsoft Azure offers the full complement of cloud services including an Enterprise Mobility Suite, a set of cloud software services to manage all mobile environments no matter the operating system, networking, storage, appdev, virtual desktop or disaster recovery plan.
Many of Microsoft cloud services are HIPAA-compliant and covered by the business associate agreement the company signs.
This service allows organizations to scale up resources and scale them back down quickly while ClearData automates provisioning and monitoring of those environments and applications.
HIPAA Compliance: ClearData has a special focus on security and HIPAA compliance.
Pricing: Primarily pricing is based on a pay-by-the-hour basis but there is a range of pricing models that allow users to configure databases that run all the time as opposed to Web services that may need to be configured for bursting models.
Unlike most of the other cloud solution providers in this Buyers Guide, ClearData is uniquely and only a healthcare cloud service provider with a special focus on security and HIPAA compliance. Typically an organization porting its healthcare data and applications into the cloud would configure each as a unique service, each with its configuration options to remain compliant with HIPAA standards. The ClearData healthcare platform can automate provisioning and monitoring of those environments and applications to ensure that it remains compliant. As a result, it allows organizations to scale up resources and scale them back down more quickly than in their data centers.
"If you were to use a generic cloud or cloud by itself without any additional platform, you have to provide all the automation or all the security services around the cloud itself, so when you want to scale up you would have to provision 10 servers and then you would have to add 10 to 20 more services of security and compliance application around them," ClearData CTO Matt Ferrari said.
ClearData also offers a security and compliance dashboard that in real time identifies the compliance state of the organization's infrastructure. If some part of the infrastructure is configured incorrectly, the system detects and notifies, allowing users to correct it on the fly. "As an example, if you enabled a piece of cloud storage and you didn't put encryption on it, we would immediately flag that as not available for your environment until the encryption is turned on," Ferrari added.
ClearData offers cloud services for data recovery and disaster recovery via a private data center and from cloud to cloud.
The ClearData technology is built on top of Amazon's AWS cloud infrastructure. Amazon does all the heavy lifting so that ClearData can build any number of configurations for clients based on software automation, Ferrari said.
"If you use AWS APIs there is nothing we do that will get in the way of that," Ferrari explained. "Our platform automatically responds to changes leaving the integrity of the AWS account and your automation intact. This allows you to operate the AWS environment yourselves or have us fully manage it for you."
Flexibility is key to Verizon's product while connecting to the client's existing IT system as well as to other hosted platforms along with planning and migration tools.
HIPAA Compliance: In select data centers, the multi-tenant platform is HIPAA-ready and can be put into a common framework of multiple clouds for healthcare services. Verizon offers other HIPAA-ready services and negotiates BAAs with clients without charging an additional fee.
Pricing: Verizon's offerings for Cloud and Managed Hosting are price structured by a usage and commit model. Elements of compute, networking, operating systems, and storage are broken down for a client usage during the month.
Flexibility appears to be one of Verizon Cloud's strong suits. It provides a cloud that is capable of connecting to the client's existing IT system as well as to other hosted platforms, offering Cloud Onboarding Services that include planning and migration tools, and project-based on-boarding and professional services.
The Verizon Cloud demonstrates its flexibility with services that give clients the ability to match the level of support to each application on each of a client's virtual machines. Verizon Cloud Compute offers both virtual private and private cloud spaces that can be customized based on their unique workload demands.
Healthcare enterprises can integrate Verizon Cloud with their existing private network or solutions such as Verizon Managed Hosting. Verizon offers network connections via secure channels that link only to the cloud resources to which clients subscribe.
As another example of Verizon Cloud's "hybridity," the Secure Cloud Interconnect, a feature of its Private IP Network service, offers links to other cloud service providers as well as to the client's existing IT system.
In select data centers, its multi-tenant platform is HIPAA-ready and can be put into a common framework of multiple clouds for healthcare services.
Verizon offers other HIPAA-ready services and negotiates BAAs with clients without charging an additional fee. And the company offers its healthcare enabled services in five data centers to enable a broader range of HIPAA-compliant cloud and data center infrastructure services.
Verizon Cloud inherently includes Remote Hands and Smart Hands. Remote Hands can include but is not limited to, securing cabling, checking port numbers, and reporting indicators on equipment, while Smart Hands includes such services as setting up a firewall, management and collocation equipment. Other services include cloud backup and cloud managed services for operating systems, applications and databases, as well as intrusion detection protection and log aggregation for cloud and managed hosting.
Verizon Managed Hosting, for its part, includes an option whereby Verizon provides encryption for the client. Encryption services are offered for backup with keys that can be obtained to encrypt or decrypt. Verizon Managed Databases includes built-in encryption options for the Oracle and Microsoft database offerings, which the client can elect to enable.
Verizon also provides encryption services by default for data backup and restore and virtualized data recovery.
Virtualized disaster recovery and data backup and restore services are offered in select data centers that provide HIPAA-readied options required for a healthcare environment.
When it comes to the service agreement or the BAA, there's delineation between what the client and what Verizon is responsible for providing and what type of services a client selects to meet their needs.
"A client may have primary responsibility to HIPAA, and we are the secondary providing the back-end services," said Dan Jablonski, Verizon director of product management.
Although not there yet, Verizon will be expanding its cloud services around mobility and providing a unified delivery framework in a fully managed environment.
Jablonski pointed out that although an organization's current IT can typically deal with the cloud environment, Verizon has seen an uptick in requests for cloud administration as a service.
"We can work with the client to design a solution that right-sizes the level of IT management fitted to their requirements. This way, the client's IT staff can work more closely on their own business, freeing them up to work on specific applications and workloads, rather than the more generalized infrastructure services," Jablonski said.
VMware vCloud Air public cloud platform has three infrastructure-as-a-service subscription service types: dedicated cloud, virtual private cloud and disaster recovery.
HIPAA Compliance: VMware offers a Business Associate Agreement (BAA) to all customers using U.S.-based data centers.
Pricing: Varies by service. The variables include all of the different components of a cloud agreement including SLA's scale and contract length. In addition there are IaaS services and disaster recovery services with varying recovery point objectives as well as database as a service offerings.
VMware offers three cloud solutions that stand out. First, a single unified hybrid cloud spans the public and private cloud and includes a desktop-as-a-service option.
The public cloud services component of the platform can come from VMware, or customers can choose from any one of 4,000 partners in its vCloud Air Network.
VMware vCloud Air and the vCloud Air Network offerings have been created and built from the ground up as a hybrid solution using VMware's Software-Defined Data Center architecture solutions for virtualized compute, networking and storage.
VMware vCloud Air public cloud platform has three infrastructure-as-a-service subscription service types: dedicated cloud, virtual private cloud and disaster recovery.
Second, for private cloud networking, the VMware NSX network virtualization platform delivers the operational model of a virtual machine for the network by abstracting, pooling and automating networking for the SDDC. VMware NSX reproduces the entire network model in software (e.g. switching, routing, firewalling, load balancing, VPN, etc.), enabling any network topology for the cloud data center — from simple to complex multi-tier networks-to-be-created and provisioned in quickly without modifying the application.
NSX also delivers what is now called micro-segmentation to create a Zero Trust environment.
Forrester Research coined the term "Zero Trust" and describes it as "a model that prevents common and advanced persistent threats from traversing laterally inside a network. This can be done through a strict, micro-granular security model that ties security to individual workloads and automatically provisions policies. It's a network that doesn't trust any data packets. Everything is untrusted. Hence: Zero Trust."
The Zero Trust segmentation architecture ensures that patient data is not compromised even if a breach occurs. Even applications that might be on the same physical server sitting right next to each other do not share the same virtual network, and therefore don't even see each other; thus reducing the attack surface, according to Bill Hudson, VMware's former chief healthcare strategist.
Third, VMware Horizon Air delivers cloud-hosted virtual desktops and applications to any device, anywhere, from a single cloud control plane. Cloud-hosted virtual desktops and apps can reduce costs, enhance productivity and minimize downtime for healthcare organizations.
The vCloud Air public cloud platform has three infrastructure-as-a-service subscription service types: dedicated cloud, virtual private cloud and disaster recovery.
VMware squarely has its sights set on being the premier hybrid cloud provider to such an extent that Hudson – who now is vice president of IT operations at John Muir Health -- liked to tweak the nose of VMware's competitors by warning potential customers of cloud vendor lock-in from other providers.
"The cloud has become the new lock in. CIOs may discover if they want to move from the cloud back on premises, there's a great deal of pain involved," Hudson said.
VMware also touts the fact that the tools and technologies IT has typically already deployed within its four walls are often the same tools offered by VMware thus, Hudson added, "taking work off their plate."
On the other hand, if customers are looking to clouds that use infrastructure that they are not familiar with, "all of the purported time and cost savings can get eaten up simply by having to train your staff on the new platform," Hudson said.