Cloud Forward: CIOs Overcome IT Security Concerns | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Cloud Forward: CIOs Overcome IT Security Concerns

November 18, 2015
by Heather Landi
| Reprints
Healthcare CIOs are increasingly moving electronic patient records, including EHRs and diagnostic images, out of the internal data center and into the cloud.
Click To View Gallery

The widespread adoption of health information technology by patient care organizations in the past 10 years has been transformative to the healthcare industry. In 2008, only 9 percent of hospitals in the U.S. had a basic electronic health record (EHR) systems; by 2014, that had increased eight-fold with 76 percent of hospitals using a basic EHR system and 97 percent utilizing certified EHR technology, according to figures from the Office of the National Coordinator for Health Information Technology (ONC) and the American Hospital Association. With this surge in digitized patient data comes the challenge, for hospitals and health systems, to efficiently and cost effectively store and manage that data.

Healthcare CIOs are increasingly moving electronic patient records, including EHRs and diagnostic images, out of the internal data center and into the cloud. The global healthcare cloud computing market is forecasted to reach $9.48 billion by 2020, growing 20 percent from $3.73 billion this year, according to research firm MarketsandMarkets.

And, many industry experts say that the use of cloud services in healthcare is increasing steadily, despite the belief that the healthcare industry lags behind others in cloud use. In fact, results from a cloud survey by Healthcare Information and Management Systems Society (HIMSS) Analytics found that 83 percent of healthcare organizations use cloud services and only six percent of those surveyed reported having no plans to use the cloud at all.

Additionally, for the majority of respondents who organizations are using software-as-a-service (SaaS) models, the primary uses for cloud platforms are doing the following: hosting clinical applications and data, health information exchange, human resources applications and data and backup and disaster recovery. Three-quarters of respondents reported using either a private cloud or hybrid cloud services.

“Cloud, in general, is not scary anymore and most people either have their toe in the water or are fairly far into it,” Greg McGovern, associate principal at the Chicago-based consulting firm The Chartis Group, says.

Greg McGovern

“Most of the healthcare organizations that we work with, when they talk about the cloud, they are generally talking about software-as-a-service,” McGovern says. “The notion of infrastructure-as-a-service, or these true full-tilt cloud services, is not fully developed in the healthcare space,” he adds, referencing the use in some industries of infrastructure-as-a-service players such as Amazon Web Services and Microsoft.

A 2014 Dell Global Technology Adoption Index survey found similar cloud adoption rates with 96 percent of healthcare organization respondents using or considering using the cloud, and only 3 percent having no plans to leverage cloud solutions. The Dell survey also found that the majority of healthcare providers use private or hybrid cloud solutions as well.

Many midsize and large physician groups and independent practice associations also are moving to cloud-based EHRs from vendors such as athenahealth or Practice Fusion, due to the speed of upgrades and better data recovery while avoiding costly hardware upgrades and IT personnel costs.

As previously reported in Healthcare Informatics, when East Georgia Healthcare Center, a federally qualified health center with nine facilities and 23 physicians, began experiencing slow computing and processing speeds due to the amount of data it was managing, the practice decided to subscribe to eClinicalWorks Grid Cloud.

“It was a smart decision for us financially and with the IT staff we have,” Herb Taylor, East Georgia’s IT director, says.

Taylor reports that the cloud offers better disaster recovery protection and financial security.

“You may be able to spend that $300,000 to $400,000 to get where you need to be this year, but where are you going to be in five or six years when it is time to upgrade all that hardware again? That was the big factor for me. No matter what happens, I am paying X amount of dollars to eClinicalWorks. It was a no-brainer for us with 23 providers to pay the monthly fee,” he says.

Investing up front in IT equipment requires capital expenditures, whereas using cloud services is an operational expense and that has been a big driver for healthcare organizations to use the cloud, McGovern says.

“The ability to pay as you go and purchase capacity as you need it and carry that as an operating expense becomes very attractive,” he says.

What many healthcare leaders report about using the cloud echoes the results of the HIMSS Analytics Cloud Survey. According to the 150 healthcare IT professionals surveyed, reasons for using cloud services included lower costs than maintaining the current IT system (56 percent), faster deployment (53 percent), a lack of staff able to maintain on-premise systems (52 percent) and more robust data recovery (50 percent). Other reasons given include the need for on-demand, scalable, always on solutions (45 percent), regulatory compliance (41 percent), better information security (26 percent) and mobility of workforce (26 percent).

The need for technical resources and talent also is driving many hospitals to look at cloud applications as it can allow for better allocation of IT resources.

“If I’m a hospital deploying a Cerner solution, I might not have the technical resources that I will need to bring that up and support that environment. So it’s attractive to look at a company that already has those resources and just come online with the application,” McGovern says.

Speed to market can be a key benefit of the cloud as well. “If you bring something in house, it takes awhile to build up. So, if I want to bring up 500 doctors on a provider EMR, I might be looking at a six-month implementation as opposed to an 18-month or two-year implementation schedule. A lot of people are attracted to the notion that they can move in an agile fashion,” McGovern says.

As previously reported by HCI Editor-In-Chief Mark Hagland, Saint Luke’s Health System, a Kansas City-based integrated health system with 10 hospitals, 450 employed physicians and 2,440 affiliated physicians, shifted to a community-wide cloud-based information exchange system for diagnostic images and, and according to Deborah Gash, vice president and CIO of the Saint Luke’s Health System, physicians now benefit from a streamlined process and a mobile application to pull up images on their iPads. And, the cloud-based information exchange enables better patient engagement.

“We’re going to make the cloud image exchange accessible to patients,” Gash says, noting that work is being done now to put a URL into the patient portal for access to studies, diagnostic images and radiology reports.

Healthcare leaders say an increased interest in the cloud also ties into the need for mobility solutions and data analytics with the shift towards population health and accountable care organizations (ACOs), and the cloud can be a critical building block for information-driven, patient-centered healthcare.

The push for data analytics requires having access to a data warehouse, and building an internal data warehouse is a huge investment, McGovern says. “So the question is, should I build my own data warehouse and bring all that information and cost into my organization, or should I start shopping around for a shared service model? Is there someone out there like a Dell that might offer that sort of analytics or data storage environment that would be most effective? I think folks are looking at cloud services not just on the applications side, but on the infrastructure side as well,” he says.

Historically, there have been concerns about data security with cloud-based solutions, case in point, 61 percent of the respondents in the HIMSS Analytics survey who hadn’t adopted a cloud solution cited security concerns as a reason for not doing so. But many health IT leaders say those concerns are unfounded, and many CIOs, CTOs and CISOs (chief information security officers) see the cloud as providing more security than on-site storage.

“Is security an issue? Absolutely, but no more so, and I would argue maybe even less so than with an internal data center. Security is always an issue, HIPAA is an issue, privacy and disclosure are issues whether the data is sitting in a server in your closet or sitting out somewhere on the internet. The cloud vendor, in some sense, might be able to provide better security, as they have scale and you have a relationship with them contractually, there are business associate agreements in place. As such, the cloud vendors comply with certain standards for data security and privacy,” McGovern says.

And, cloud solutions also provide CISOs and CIOs with a way to “get dollars for security” because the security is “baked into the solution from the external vendor,” he adds. With many hospitals and health systems, funding for security, such as intrusion detection systems, is not a priority due to the expense, but outsourcing data storage to a cloud vendor “almost by definition gives you a certain level of security and that security will be maintained on an ongoing basis.”

However, as with any outsourcing relationship, there are a number of issues that health IT leaders need to consider when using cloud solutions, and doing due diligence with regards to service level agreements and contracts is critical, McGovern says. “We’ve had people go into an outsource relationship for the cloud or remote-hosted services and three to five years down the road, the CFO says, ‘Our costs are astronomical, why is it costing so much?’ And it turns out there are all these things outside the scope of the agreement, so they might have committed to 99.9 percent uptime and then demanded more, or they have expanded and added more providers and that incremental cost was unexpected.”

“It’s probably going to be a 10-year marriage with that vendor, so you really need to have foresight and think about how is this going to grow and how is the world going to change and then try to build in those considerations into your contract,” he says.

According to the HIMSS Analytics survey, 65 percent of healthcare organization respondents said a cloud services provider’s willingness to enter a business associate agreement was an important factor when selecting a vendor.

There are also concerns around certain performance issues with cloud services, such as slow responsiveness and downtime. According to the same survey, 32 percent of respondents reported problems with slow responsiveness with cloud applications and 23 percent of respondents reported downtime and unavailability of data and applications.

“The concern around availability and uptime has been a valid concern, but internal networks go down too. The connectivity and availability of cloud services is very high and again, that gets back to the contracts and the need for good due diligence when talking to the vendor,” McGovern says.

Integration services can be an issue when using cloud-based solutions as most hospitals and health systems want an integrated user experience and workflow. “The integration of the user interface and all those back-end services is a challenge, but that doesn’t mean it can’t be managed, it just means that it needs to be thought through so you don’t end up with a bunch of siloed broken workflows,” McGovern says.

Many industry experts also warn against “all-or-nothing” cloud service providers. “In this population health and ACO world, you never know who you’re going to be partnering with, so locking yourself into an all-or-nothing vendor could be prohibitive,” he says.

Cost savings and IT staffing challenges will likely drive continued growth of cloud solutions, and, indeed, most adopters report that they will expand their use of the cloud in the future, specifically for archived data, disaster recovery and operation apps and data, according to the HIMSS survey.


2018 Raleigh Health IT Summit

Renowned leaders in U.S. and North American healthcare gather throughout the year to present important information and share insights at the Healthcare Informatics Health IT Summits.

September 27 - 28, 2018 | Raleigh


/article/cloud-forward-cios-overcome-it-security-concerns

See more on