The Cloud: Trust, but Verify

Cloud computing is becoming a valuable tool for hospitals, and there are good reasons for that, as more organizations digitize their clinical systems. I recently had a conversation with Richard Temple, executive consultant at Beacon Partners, Inc., Weymouth, Mass.

Typically, a lot of the computerization by hospitals has centered on financial systems, and hospitals typically wanted to keep that information close, housing it in their own data centers, he says. But things were more manageable, in terms of what needed to be available. After all, if a billing system went down at night, lives didn’t hang in the balance.

But with the advent of the computerization of clinical systems, hospitals are faced with requirements of uptime and redundancy. “Hospitals aren’t necessarily geared up to support a computing infrastructure of that magnitude, so they look to the cloud,” Temple says. And a lot of EHR vendors, recognizing an opportunity, have filled that niche, offering remote hosting, both to implement an EHR system as well as take responsibility to make sure the system works properly, he adds.

All of this suggests that a high level of trust, that the cloud vendor has the necessary skills to manage the system effectively, he says. That level of trust goes beyond a comfort level that the EHR is safely housed in the vendor’s cloud.

What elements should a hospital consider before moving its data to the cloud? Temple has a few suggestions:

1. Ensure the cloud provider has SSAE-16 certification (formerly SAS-70), a third-party certified certification that says the host will adhere to best practices at a high level. “This is a prerequisite to everything else,” Temple says.
2. Know where the hosted data will reside; and if it hosted overseas, be comfortable with the legal and regulatory protections where the data is stored.
3. Confirm that data will be encrypted at all all points in the process, not just in transit. Both the cloud vendor and hospital share responsibility for encryption, Temple says.
4. Make sure that the contract includes definitive service level agreements that state the acceptable thresholds for uptime and performance speeds for performance speed. Specify financial penalties if the cloud vendor dips below those levels.
5. Confirm that there is a disaster recovery plan in place. Know how the data is stored off site, and how quickly it can be recovered in the event of a disaster. Receive a guarantee that the cloud vendor’s IS group will work with the hospital to recover the data. Make sure that the hospital participates in any disaster recovery drill.
6. Get a business associate agreement with the cloud host, especially if it will have access to PHI, to make sure that the data is well secured, backed up and encrypted. Specify the right of the hospital to conduct audits as it sees fit, and require the host to send the hospital an attestation of continued compliance on an annual basis. The hospital should reserve the right to approve any subcontracting that takes place, and that it will be HIPAA compliant.
7. Because healthcare is a unique industry, it’s advisable to look for a cloud vendor that has prior healthcare experience.
8. Look for scalability; make sure the cloud vendor is able to meet your growing needs. Try to negotiate some flexibility in terms of the number of users, to avoid exorbitant financial charges by going over a fixed threshold.
9. Require protections if the cloud host moves to a different platform, and require that protocols are in place that upgrades are done with as little disruption as possible.
10. If the hosting agreement ends, contractually obligate the cloud provider to destroy the data or make sure it is returned in a non-proprietary form that can be imported into another system.

While the cloud presents its share of risks and challenges, it’s becoming more and more prevalent, especially with new and bundled arrangements such as HIEs and ACOs make metrics reporting a necessity, Temple says. The cloud can help a great deal, but hospitals that sign on are partners with cloud vendors that house their data.

More on cloud computing will appear in the April issue of Healthcare Informatics magazine.