Defining the strategic business goals for an EHR cloud migration

It is important that provider organizations develop a clear picture of their EHR migration objectives before choosing a CSP.
By Gus Venditto
02:18 PM
strategic business goals for EHR cloud migration

The growth in the amount of data to be managed in healthcare shows no signs of slowing. Records of patient encounters are just the tip of the iceberg.

The increased use of connected digital medical devices and health information exchanges (HIE) means that healthcare providers are collecting, storing, and sharing more data than ever in their electronic health records (EHRs). On top of that, analytics programs, which are still in their early stages, are now generating a continuous stream of reports that need to be shared across health systems. And coming soon will be the need to store genomic data as precision medicine uncovers new treatments.

The challenges posed by this growth of data and the need to support collaborate teams is part of the appeal for migrating the EHR and other IT functions to a cloud.

There’s no specific blueprint for an EHR cloud migration. But an important first step is to define the strategic business and operational goals. Your organization will be in a better position to choose the right cloud model, the right cloud provider, and the right migration path if you identify the benefits you want to gain from a cloud-based approach. 

The obvious benefits to providers of a cloud deployment are faster and easier access to data by clinicians, reduced IT and capital costs, better data backup and disaster recovery (DR), greater storage capacity, and a powerful and scalable platform for analyzing data.

In a 2016 HIMSS Analytics survey, increased performance and reliability was the top reason cited by healthcare IT executives for a cloud migration, followed by ease of management, total cost of ownership (TCO), and infrastructure agility.

These and other reasons to adopt a cloud solution (such as speed of deployment and lack of internal staff/expertise) are not mutually exclusive, of course. Providers interested in lower TCO will also want to keep IT staff costs down. Those seeking improved performance and reliability likely will be interested in infrastructure agility, speed of deployment, and business continuity.

A key element in devising a strategy for an EHR cloud migration is conducting a network bandwidth assessment. The continuous transmission of data and services to and from an off-site cloud facility can easily exceed the capacity of the existing network infrastructure. This in turn could lead to data accessibility and network performance problems during peak usage hours, offsetting the expected clinical and operational benefits of a cloud-based EHR.

Security and Privacy

A major strategic consideration for healthcare providers when planning an EHR migration to the cloud is the security of protected health information (PHI). Under HIPAA (the Health Insurance Portability and Accountability Act), information created, stored, or shared by “covered entities” in the course of must be protected in order to shield the identity of patients.

Information protected under HIPAA includes a patient’s name, Social Security number, date of birth, contact information, health insurance identification numbers, diagnoses, courses of treatment, medications, and billing details. Failure to protect PHI under HIPAA requirements can be costly: Fines range from $100 to $50,000 per violation, with an annual maximum of $1.5 million. (Criminal penalties also are possible under HIPAA.)

A number of hospitals and other healthcare providers have paid seven-figure fines for HIPAA violations, including Oregon Health & Science University, which paid $2.7 million to settle a pair of HIPAA violations in 2013, one of which involved patient information stored in a Google-based cloud system for which the health system lacked a contract.

HIPAA also requires covered entities and business associates to “conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit,” the U.S. Department of Health and Human Services (HHS) explains.

In addition to protecting patient privacy under HIPAA, healthcare providers considering an EHR cloud migration must determine how data stored with a cloud services provider (CSP) should be secured. Specifically, provider organizations need to decide how much control over healthcare data, applications, and processes they are willing to cede to a CSP.

However, even if a contract gives a CSP high levels of control over PHIs, applications, and processes, healthcare providers bear responsibility for protecting data and meeting compliance requirements. “Healthcare entities must stay informed of where and how electronic protected health information (ePHI) is moved, handled, or stored by their CSP,” advises the Cloud Standards Customer Council. “For example, if a CSP moves data to another country, it may be subject to international laws and therefore non-compliant with government regulations.”

HIMSS established a Cloud Computing Work Group to provide guidance on creating an acceptable use policy (AUP) for an organization as it moves applications and communications to the cloud. The template is available for download from HIMSS.org

Private, public and hybrid

The most fundamental decision providers must make is choosing a cloud computing model – public, private, or some hybrid. A 2016 HIMSS survey shows that private clouds comprise roughly three-quarters of healthcare provider cloud deployments (74 percent), nearly three times the number of public cloud deployments (26 percent).

This doesn’t mean healthcare organizations must choose one or the other; they might opt to employ a hybrid model, mixing public and private platforms. The HIMSS survey reveals that healthcare providers typically have at least three different CSP vendors, while most employ a combination of private and public clouds.

A number of factors can influence a provider’s choice of cloud computing models, including security and accessibility issues, pricing, performance levels, and more. These requirements can vary depending on the workloads being migrated to the cloud, which explains why most providers use a mix of public and private clouds and more than one CSP.

Advice on how to take a step-by-step transition with cloud computing platforms

John Houston, UPMC vice president of security and privacy and associate counsel at shares his experience with cloud vendors and how he approaches questions of uptime reliability and security. He spoke at the Healthcare Security Forum in September 2017.

Finding the Right EHR vendor

While an experienced healthcare CSP can offer useful advice regarding cloud migration strategies and goals, it is important that provider organizations develop a clear picture of their EHR migration objectives before choosing a CSP. This will make the vendor selection process faster and reduce the odds of healthcare providers choosing a CSP whose services and contract terms are misaligned with their needs.

Once a healthcare provider has determined the strategic goals of an electronic health records (EHR) migration to the cloud, IT and business decision-makers can begin making choices about cloud models, cloud services vendors and migration plans.

This doesn’t mean healthcare organizations must choose one or the other; they might opt to use multiple vendors and multiple cloud computing models. The HIMSS survey reveals that healthcare providers typically have at least three different CSP vendors, while most employ a combination of private and public clouds.

A number of factors can influence a provider’s choice of cloud computing models, including security and accessibility issues, pricing, performance levels, and more. These requirements can vary depending on the workloads being migrated to the cloud, which explains why most providers use a mix of public and private clouds and more than one CSP.

Learn more: