Our expert trio takes on the cloud

By Bob Rossi, Vice President, CDW Healthcare

Earlier this year, we surveyed 150 healthcare decision makers familiar with their organization’s cloud implementations and gained a deeper understanding of key cloud trends in the healthcare marketplace. 

Healthcare decision makers report that 35 percent of their organizations’ IT services are either totally or partially delivered via the cloud, highlighting the industry’s growing enthusiasm for the platform. (This finding aligns with other industry yardsticks, such as Imprivata’s 2013 Desktop Virtualization Trends in Healthcare report, which found that 30 percent of healthcare IT decision makers were using cloud apps and services.) Of the cloud services recorded in our survey, organizations migrated 53 percent into the cloud from traditional delivery models, while 47 percent originated in the cloud. 

Looking ahead, healthcare organizations report considering  delivery of 33 percent of future IT services totally or partially via the cloud; however, developments in healthcare IT such as telehealth and health information exchanges provide additional incentive for healthcare organizations to continue making strides toward greater cloud adoption.

Where’s the money?

Cost savings continue to be one of the most advertised benefits of cloud services, with Frost & Sullivan reporting that cloud storage can cost 10 times less than regular storage systems. The impact of the cloud multiplies when you consider the “soft cost benefits,”  including improved efficiency, productivity and more. However, 58 percent of our healthcare survey respondents stated that cloud is inexpensive to buy, but expensive and/or difficult to implement and integrate with other resources – highlighting an often-overlooked aspect of cloud costs that can be difficult to quantify.

Regardless of savings potential, there is no consensus on a preferred model for predicting costs and benefits of cloud services.  According to our survey, vendor-provided financial models are the most popular among healthcare organizations (35 percent), followed by models from IT analyst firms and third-party consultants (both tied at 25 percent). Despite financial forecasting attempts, almost half (48 percent) of healthcare organizations say their models proved to be off by more than 10 percent. The cloud savings are real enough, but an organization should measure savings within the context its own financial figures, not the entire cloud industry.  By carefully considering the savings variables used in financial models, organizations can take the first steps to ensuring accurate models.

2. What are some of the benefits healthcare organizations are seeing through the adoption of cloud computing?

By Jonas Hellgren, President, Chief Executive Officer, Vaultive

First and foremost are the cost savings; the partnership with a cloud computing provider eliminates the need for organizations to invest in hardware infrastructure and maintenance. Secondly, the cloud also enables improved collaboration – when specific information is needed in multiple places, by different service providers at the same time, this information can be synchronized and shared in real time. Third, access and flexibility have emerged as benefits of the cloud as well. With the emergence of bring-your-own-device (BYOD) policies, health practitioners are able to utilize their personal laptops, smartphones and tablets with the cloud, making it possible to be more productive and access patient data anywhere, anytime.

Are concerns around security and the confidentiality of patient information unwarranted?

These are valid concerns, which is why healthcare organizations need to do their due diligence when selecting a cloud service provider (CSP) to partner with. Cyber attackers are focusing more and more on accessing patient and healthcare data. At the same time, regulations such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act mandate the protection of personal healthcare information. The Office of Civil Rights has intensified HIPAA-HITECH breach penalties to create consequential incentives for securing healthcare data. Healthcare organizations need to do their homework when it comes to confirming that their CSP is HIPAA ready. To ensure compliance with regulations and minimize risk, healthcare organizations should adhere to these best practices:

• Have a business associate agreement (BAA) with your CSP that is in line with the new requirements of HIPAA through the Omnibus Rule.
• Make sure your CSP offers daily operational procedures that log and monitor the data in the cloud 24/7 in order to look for any suspicious activity and adhere to notification requirements as defined by HIPAA.
• All healthcare data stored on CSP hard drives, including emails and attachments, must be encrypted throughout the data lifecycle – spanning encryption in transit, at rest and in use.
• The encryption keys must be separated from the data, ensuring segregation of duties between the provider hosting your data and the encryption keys.

How did the HIPAA Omnibus Rule change things for the cloud?

On January 25, 2013, the U.S. Department of Health and Human Services (HHS) released the Omnibus Rule that modified the 1996 legislation of HIPAA. Any credible CSP should be happy to sign a BAA, but it’s important to remember that it’s only a starting point. A BAA acknowledges the hosting provider’s legal responsibilities and liabilities to the healthcare organization. But even more than that, it establishes a culture of a partnership geared toward compliance. Any agreement should include provisions for the following:

• User tools. Before contracting a CSP, healthcare organizations must fully understand the provider’s built-in tools, enterprise-wide privacy and security protections, as well as any configurable tools to establish additional privacy and security protections. The availability of these tools and how they will allow the user to increase the level of privacy and security should be included in the BAA.
• Encryption. HIPAA regulations specify that encryption should protect patient data throughout its lifecycle – in transit, at rest and in use. The BAA should address this, as well as who will hold the encryption keys.
• Data location. Many cloud providers store redundant copies of data in multiple locations in an effort to ensure availability in the event of a natural disaster or other service outage. HIPAA does not require that patient data be held within the United States, but allowing it to be stored outside America can create difficulties for a healthcare organization in the event of a breach.
• Return of data. HIPAA regulations require that BAAs address the return or destruction of patient data at the termination of a business associate relationship.
• Contingency planning and disaster recovery. Cloud providers can often provide better protection in the event of outages or disasters; however, the BAA should address the specific requirements to be met by the provider in this type of event.
• Service level agreements (SLAs). SLAs outline the metrics by which a CSP’s performance will be measured and establish the penalties they must pay if performance falls short.

What are the new notification requirements as defined by HIPAA, and how can healthcare organizations make sure they’re meeting them?

The Omnibus Rule made a number of changes to the Breach Notification Rule. Most notably, it clarified the term “breach” to basically mean guilty until proven innocent. It added language to the definition of breach to clarify that an impermissible use or disclosure of protected health information is presumed to be a breach unless the healthcare organization, or its business associate, is able to prove there is a low probability that the protected health information has been compromised. If an organization is not able to prove this, they are required to notify all affected parties following the breach notification guidelines.

For these reasons, encryption really is an organization’s best option when it comes to this redefinition of what constitutes a breach and what’s required in its wake. For those organizations that encrypt their patient data, they can be sure that even if unauthorized access has occurred, all that’s being viewed by anyone not holding the encryption keys is gibberish – making it easy for them to prove the low probability of compromise.

Why do you think there’s still resistance within the healthcare community when it comes to encryption?

Much of this resistance is based on fear of change – a fear of what encryption could inadvertently do to sensitive integrated healthcare systems. The issue in healthcare is that data needs to be shared across a large number of organizations, including doctor’s offices, medical clinics, hospitals, various outpatient providers, health insurance providers, pharmacies and much more. It is no surprise that healthcare organizations are resistant to encryption, since access to this data is required by so many.

Many healthcare leaders believe that encrypting data increases the time to retrieve and review information, which ultimately decreases efficiency. However, this is no longer the case with today’s encryption technologies. The need for encryption is not just theoretical – it’s seen in the real world every day. Just two years ago, a Massachusetts-based healthcare provider was ordered to pay $1.5 million as a result of stolen patient data on an unencrypted laptop. A more thorough encryption strategy could not only have saved this organization $1.5 million but also saved them from damage to an invaluable asset – brand trust.

Healthcare organizations need to be very specific about the type of encryption they deploy, however. HIPAA calls for patient data to be encrypted throughout its lifecycle – in transit, at rest and in use. Securing data in all three states ensures patient data is never exposed to anyone, except the organization holding the encryption keys.

3. How has protecting patient information in the cloud evolved?

By Jake Hughes, Citrix Healthcare Evangelist

As the amount of patient data continues to grow at an unprecedented rate, more and more hospitals and healthcare organizations are looking for ways to integrate cloud computing into their existing IT systems. And with the potential benefits and cost savings enabled by the cloud, IT and business decision makers face the formidable task of evaluating and comparing cloud computing offerings from different providers.

Adding complexity to these considerations is that ensuring HIPAA compliance requires hospitals and providers to keep electronic patient health information (ePHI) secure while still making it readily accessible to clinicians when and where they need it.

The challenges associated with these requirements continue to evolve. Traditionally, electronic medical record (EMR) or picture archiving communication systems (PACS) contained ePHI. However, with the complexity and scale associated with deploying IT infrastructure in healthcare, controlled data is now everywhere. No longer limited to just those systems, ePHI appears throughout the entire IT infrastructure.

To accommodate this proliferation of sensitive information, hybrid and public cloud providers as well as internal healthcare IT teams have developed strategies to make sense of how this data is controlled, ensure it doesn’t get into the wrong hands, and take necessary precautionary measures to make sure it’s not usable by third-party entities or organizations.

Utilizing traditional IT systems and strategies meant that ePHI and other controlled data was constantly moving out to locations that were less and less secure, primarily distributed workstations out in the field as well as through virtual private networks (VPN), and unsecured machines like home computers and even public kiosk machines. This situation – in which the agendas of data availability and security are seemingly at odds with each other – drives a constant struggle: Can we create a usable, enhanced clinician environment from an IT standpoint that is also secure?

These competing agendas also result in a fight for control over the user experience. When environment security is viewed as the top priority, it typically impacts overall clinician satisfaction with the IT experience in a negative way. Conversely, when techniques are used to improve user/clinician satisfaction, an environment’s security decreases. Modern healthcare organizations have to find a way to deliver a favorable user experience while still ensuring data security.

To take advantage of the cloud and all it has to offer, hospitals and healthcare organizations have started to embrace the idea of moving away from physical servers, virtualizing assets within the data center and adopting a private cloud environment where services, applications and infrastructure are pooled together. Doing so is an attempt to provide a more effective, efficient environment – and the beginning of offering private cloud and on-demand resources.

However, the private cloud mentality views the infrastructure and orchestration leveraged by IT as highly complex. Rather than improving internal IT’s ability to deliver resources and applications that enhance the user experience, the private cloud grew more and more, the amount of competition increased and the complexities of the data center surged. Similar to trends in other industries, this led the IT shops themselves to look for a way to improve operations efficiency, reduce capital and operational costs, and achieve an infrastructure-as-a-service (IaaS) model rather than manage the basic plumbing and infrastructure component.

In recent years, cloud service giants like Amazon and Microsoft have matured to a point where moving significant portions of infrastructure to a public cloud is now a viable alternative. However, making this shift in a regulated industry such as healthcare presents an issue. The draw to reduce operational overhead, increase efficiency, reduce capital cost and move to cloud services competes with the need to maintain control of knowledge, auditing and overall security. Additionally, security is also viewed as a challenge because the burden of securing critical data is now someone else’s responsibility.

In an effort to address these concerns, the HIPAA Omnibus Rule with Business Associate Agreements put much more responsibility on cloud service providers in September 2013, extending the liability of breaches to the entity serving the data. Holding these third parties accountable for data breaches has made cloud computing a more viable – and for some even preferable – option for storing and using ePHI.

The hybrid cloud, in which some information and infrastructure is stored on-premise and some is located at an off-site data center managed by a cloud provider, is typically used within healthcare systems for non-controlled data and applications that do not contain ePHI. Two factors still prevent many healthcare organizations from storing controlled data in the public cloud: The organization’s perceived loss of control as well as the liability burden to the cloud provider.

Today, we’re moving more and more controlled data into true cloud services. It’s a necessary shift, as organizations are now requiring entire IT environments “as a service” so that healthcare cloud services, like our power and cable, are always on, always available.

As Omnibus and HIPAA rules evolve to include more of these cloud services, and as hosting and cloud providers become much more HIPAA-aware, healthcare organizations and hospitals are starting to move data out of their environments. It’s not uncommon, however, for top-tier EMR systems to host data as a way to bridge the hybrid gap and provide a level of trust until the public cloud becomes mature, secure and visible enough for senior healthcare leadership to feel comfortable with it.

What are the key considerations that healthcare organizations should make relative to the use of public clouds?

Some of the specific challenges that healthcare organizations encounter when moving controlled assets into the public cloud are very basic, such as ensuring visibility and auditing capabilities of the shared infrastructure, as well as regulatory HIPAA requirements. From a cloud provider standpoint, there’s much room for improvement in these areas. When using a private cloud, visibility into what the servers are doing, who’s accessing them, breach attempts and more is all readily available to a healthcare IT group.

From a compliance standpoint, the same level of detail needs to be available from public cloud providers. However, this can be relatively difficult to achieve because the provider’s basic responsibility is to contain security information logs and other relevant information within its private environment. The maturation and blending of this visibility and auditing is a deficit that is slowly but surely improving within the public cloud environment.

Another struggle that early adopters, innovators and disrupters in the healthcare environment encounter involves fallback procedures. A breach, compromise or security issue only requires a basic operational change control that is generally non-disruptive to end users. In a 24/7 environment like healthcare, however, cohesive control and auditing is crucial, with full process continuity if a disruption occurs. This includes communicating the issue back to hospitals to trigger fallbacks – a technical requirement for HIPAA – for clinical staff (for example, to revert from electronic records to paper).

These processes typically owned and evolved by healthcare organizations now have one, two or three third-party entities that need to understand the complications of determining whether or not an outage causes clinical impact. In an industry as unique as healthcare, it is crucial to explain to third-party entities how minor disruptions can be detrimental as they can cause patient safety issues, breaches and possibly expose the healthcare environment to much higher risk.

This isn’t to say that the public or hybrid cloud can’t achieve the same levels of security or compliance that a private cloud can; in fact, because cloud providers can invest much more in infrastructure, security and control, it can actually improve an organization’s security posture when moving to the cloud. However, it must be done carefully and diligently to ensure the proper processes and procedures are in place.

How does the industry overcome its fear of change?

The bottom line is that wholesale cloud adoption within healthcare has little to do with convincing healthcare and IT leaders of technicality or capability – and much more to do with basic perception and peace of mind. Healthcare industry leaders who are professionally and personally liable for their organization’s data protection need to feel in control. And because the cloud isn’t physically present within the organization’s data center, there’s still a perception that the cloud isn’t safe.

This perception continues to challenge the industry, preventing organizations from moving out of a private to a hybrid cloud, or out of a hybrid cloud or into a fully public cloud. This trend will likely continue throughout the next five to 10 years. The industry needs innovators who are willing to take risks and act as pioneers when it comes to cloud implementation. Seattle Children’s Hospital (SCH), for example, was one of the first organizations to take this step. They invested in virtualization, networking and private cloud solutions that helped doctors and nurses spend more time with patients – and less time interacting with technology. SCH professionals can now use technology resources more easily and efficiently no matter where they go while reducing the costs of providing exceptional patient care.

Like Seattle Children’s Hospital, other healthcare organization pioneers can help demonstrate that the cloud is safe and also exemplify how they’ve mitigated the risks and concerns associated with cloud implementation. As misperceptions related to the cloud are replaced with knowledge and understanding of security capabilities, we’ll see improving rates of adoption within the healthcare industry.

Sources:

1. Thoughtsoncloud.com, “Five Ways the Healthcare Industry Benefits from Cloud Computing,” May 2014
2. Cio.com, “Healthcare Finally Warming to Cloud Technology,” Nov. 2013
3. Ehrintelligence.com, “Adoption of Cloud-Based Services in Healthcare On The Rise,” June 2014
4. Level3.com, “Healthcare Providers Motivated to Adopt Cloud Technology, Cite Security Concerns,” Feb. 2014
5. Fiercecio.com, “Clouds Are Gathering, Thickening in 2014,” Dec. 2013
6. Storagecraft.com, “Cloud Computing Adoption Rates: Are They As Predicted?” Sept. 2013
7. Logicworks.net, “The True Rate of Cloud Adoption in Healthcare,” Feb. 2014