Stronger security and disaster planning fuel healthcare's migration to the cloud
Healthcare did not lead the charge into the cloud. But it has been making up for lost time. The use of cloud platforms has grown substantially within healthcare provider organizations.
A recent HIMSS Analytics survey of provider C-suite executives found that more than half are using Infrastructure-as-a-Service (Iaas) cloud platforms to provide an environment for a wide range of uses ranging from hosting internally developed programs to a running fully functional EHR.
HIPAA privacy and security concerns were one reason for the slow start. But once HHS provided clear guidance on how to address PHI issues and work through Business Associate (BA) relationships, everything changed.
Today, very few healthcare CIO’s consider security a reason to avoid the cloud. Quite the opposite. The HIMSS Analytics survey found that disaster preparedness is now one of the leading reasons why healthcare CIO’s are making the decision to shift resources onto cloud platforms. The savings are compelling. Why rent storage in a redundant data center to maintain a fully functioning backup when you can pay for only what you need in the cloud?
“You don't have to worry about your infrastructure and data center,” said Jason Bickford, Applications Director of Health Information Management Systems at Banner Health and president of the HIMSS Arizona Chapter. “Cloud-based is the right way to go.”
Disaster recovery in the cloud also has value as a stepping stone on the way to moving production-level clinical applications into a cloud environment. The logic is compelling. Once the backup clinical application has been confirmed to be running smoothly in parallel, the cloud option has proved itself reliable, so why not take advantage of the potential savings?
That is not to say that security isn’t a priority. After budget limitations, HIMSS Analytics survey respondents cited security concerns as a reason to move slowly toward the cloud.
“Regardless of whether a solution is hosted in your own data center or in the cloud, security should be a critical factor in your review,” advises Susan Snedaker, Director, IT Infrastructure & Operations at Tucson Medical Center and author of the book IT Security Management. “There’s nothing inherently more or less secure about a cloud option, but some cloud-based solutions may not meet today’s stringent security requirements.”
In selecting a cloud platform vendor, Snedaker advises a careful review of the vendor’s documentation and contracts. Pay attention to the provider’s security program and make sure that audits take place on a regular basis.
“If your database is going to be hosted on the same server as another database from another company, what happens if the other database is attacked? Can the attacker then gain access to your data?” Snedaker says. “Be sure to understand the specifics of the hosting solution so you are clear about your vulnerabilities. Then take steps to mitigate them – select a different solution, select a different hosting model, ask the vendor to modify policies, processes, procedures, access methods, etc. or accept the risk if it cannot be overcome and there are no better options.”
Security consultant Tod Ferran of Halock Security Labs has performed audits of the large cloud platforms, Microsoft, Amazon and Google, and found the services are maintaining a very high level of security. “In many ways,” Ferran said, “the cloud is a better choice because many hospitals can’t afford the staff to make their systems secure enough.”
As the nature of risk has changed, so has the value equation. Strong security means constant maintenance of operating systems and applications with the healthcare enterprise. HIT managers can gain peace of mind from knowing the updates are being performed by a vendor that is guaranteeing round-the-clock support, rather than by a hospital staff already stretched with aggressive internal project loads.
Many healthcare providers use multiple cloud vendors, cherry picking among the different options to align with specific demands of each application.
“Organizations are not putting all their eggs in one basket,” said Sandra Yu, cloud client executive at CDW. “It’s a multi-cloud world.” CDW partners with a wide number of cloud hosts in providing managed cloud services, so Yu has experience with many vendors.
“If you have needs for hyper computing, we would recommend a public hyper-scalar for that,” she said. For PHI she would recommend a private cloud.
When it comes to applications that have a heavy computational workload, you need to be sensitive to the cloud’s latency and so she would recommend a cloud data center that is geographically closer. But for something that is not PHI-sensitive, she would recommend a public cloud where the costs should be lower.
“The clinical apps that can work well in the cloud are typically those that are not transferring large files or data streams,” Snedaker says. “If you’re going to host a data intensive clinical application in the cloud, you should be sure you have the right connectivity solution in place.”
When factoring in all of the reasons to move to the cloud, in the end, cost is still a prime motivation. The savings are derived not only from reducing the cost of maintaining data centers. The pricing for IaaS continues to go down.
“It’s like a race to the bottom,” Yu said, noting that when one of the major vendors lowers its price, the others are quick to match it. Pricing among the leading public cloud vendors is generally on par now, so decisions should be made after shopping for the services and support that you’ll need. Pay as you go options are readily available, so trials are simple to setup.