At a time of rapidly expanding data storage needs, the cloud offers a compelling business case to healthcare provider organizations. After all, the cloud can relieve a hospital of the significant capital costs of acquiring and maintaining hardware, and can free up hard-pressed IT staffs from maintaining that equipment.
Yet the cloud is a broad term encompassing many models, both public and private, and within the latter, software-as-a-service (SaaS), with varying degrees of data management by the vendor. CIOs whose organizations are considering use of some form of the cloud are faced with questions around implementation, vetting of cloud service providers, and protection of their data that is no longer, in many cases, under its own direct control.
CIOs interviewed for this article express different takes on the use of the cloud. While many healthcare CIOs are skeptical of the “public” cloud offered by companies such as Google, Microsoft and Amazon, others are more open to using the “private” cloud, which allows more control over their data.
One proponent of the cloud is John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, who recommends taking a realistic view of the cloud, whatever model one chooses. In a blog post from 2011 that is still apt today, he notes that the sophisticated technology required for 99.999-percent uptime comes with a lot of complexity, and with it, unanticipated downtime and human error. Nonetheless, he does not believe the public cloud has substantially less downtime cost than he could engineer himself.
FAN NOTES FROM A ‘CLOUDY CIO’
Dan Morreale, vice president and CIO of Riverside Healthcare System, a 680-bed provider organization based in Yonkers, N.Y., with three hospitals, a nursing home and 20 ambulatory locations, is a self-proclaimed fan of the cloud. Explaining his business case for using it, he says, “I am hoping to eliminate my massive data frame in my organization. I don’t want to deal with power issues and cooling issues, and I don’t want to deal with capitalizing hardware over time.”
Morreale acknowledges that part of his openness to the cloud is a matter of timing. “If I had hardware that was brand-new, with some room for growth, I wouldn’t be that interested in the cloud right now,” he says. His decision to move data to the cloud is based on a five-year cost of ownership model. Like CIOs of many community-based hospitals, he says, “When I look at expanding the computer room or buying new servers or buying new storage, then the costs, the returns on investments, become a lot easier to see and to justify."
Morreale says he is open to storing all types of data on the cloud, noting that he has very stringent requirements on how he wanted his hospital’s data protected. Several years ago (before his arrival at Riverside), he used the public cloud (Amazon) to host an HIE solution and data. He pulled back on the public cloud with policy changes in the Health Insurance Technology for Economic and Clinical Health (HITECH) Act that required more stringent privacy requirements. Today, he makes use of the private cloud model (hosted by Tempe, Ariz.-based ClearDATA, a cloud service provider that specializes in healthcare). His view of cloud storage is one of shared risk, and he requires vendors that he works with to understand that risk, he says.
He adds that he is “cautiously optimistic” about other models of cloud storage, such as software-as-a-service (SaaS). He requires those vendors to disclose their security plans and rules and their policies. “I insist that my data be encrypted, both at rest and in motion, which is a show-stopper for many of these smaller vendors,” he says.
Tom Gordon, senior vice president and CIO of Virtua, a 1,178-bed integrated health system based in Marlton, N.J., dislikes the term “cloud,” because to him it suggests a wide-open and unsecured service. While Virtua, which Gordon describes as a risk-averse organization that operates its own data center for production data and disaster recovery, eschews the public cloud, his organization does make use of vendor-hosted solutions.
Gordon compares vendor-hosted solutions to the application service provider (ASP) model, which he says offers significant economies of scale resulting from shared bandwidth and shared staff monitoring equipment, as well as the speed at which applications can be deployed. He credits vendor-hosted solutions with helping the hospital system meet its data storage requirements, which are growing at a fast clip. He estimates that clinical data is growing at a rate of 70 percent year over year.
Another proponent of vendor-hosted solutions is Kirk Larson, vice president and CIO of Children’s Hospital Central California, in Madera, Calif. Children’s Hospital makes use of vendor-hosted storage services from athenahealth, Inc., Watertown, Mass., which supplies its ambulatory EMR; Emdeon, Nashville, Tenn., which supplies its revenue cycle solution; and Boston-based Iron Mountain, which handles the hospital’s vendor-neutral archive.
He says his hospital also makes extensive use of the private cloud in another variation: as a virtualized environment (provided by VMware, Inc., Palo Alto, Calif.), for its primary electronic medical record, which is supplied by Westwood, Mass.-based MEDITECH. Under the virtualized model, the data is accessible through a virtualized desktop, but is stored in the hospital’s data centers, he explains.
“In our case, the importance of virtualizing is what drove us to the private cloud,” Larson says. “That enables us to keep our footprint to a reasonable size. Our data centers have not expanded at nearly the rate they had before virtualization, so there is an economic driver there.”
“One of the commitments we have made in IT is that we don’t have a defined preference between the cloud and on-premise when it comes to vendor solutions,” Larson says. He noted that the hospital’s physicians were supportive of athenahealth as an ambulatory EMR, which is only offered as a cloud solution. “That was a case where we wanted to accommodate the needs of the organization,” he says.
Larson says that accommodating data growth, particularly from imaging, is challenging. “I have seen some projections that, at some point, you might have a 24-hour Holter study of your heart that can be a terabyte of data. That’s mind-blowing,” he says.
Larson views the role of a CIO as essentially a service provider to the organization. Decisions about whether or not to implement the cloud should be based on input from the IT department as well as the wider organization, he says. “You have to make sure what your business level requirements are, not just your IT operational requirements,” he says. “Once you tick off the business requirements, then it is up to the IT organization to architect a solution to accommodate those. It is important to come up with a solution in the organization that works,” he says.
WHAT ABOUT SECURITY CONCERNS?
Whichever model of the cloud they ultimately choose, CIOs set a high bar when evaluating vendors offering cloud-based solutions or platforms.
Before entering into an agreement for a hosted solution, Virtua requires the vendor to fill out an extensive questionnaire covering issues such as data divorce, auditing and encryption, Gordon says. He adds that Virtua looks to work with vendors that follow best practices that reflect its own; and that understand policy requirements under the Health Insurance Portability and Accountability Act (HIPAA), the HITECH Act, and business associate agreements. Once a vendor gets past the preliminaries, he recommends entering into an iron-clad contract that specifies guaranteed uptime and monetary penalties around unplanned downtime.
At Children’s Hospital, having a business associate agreement that both parties—the covered entity and the cloud service provider—can live with is a must, Larson of Children’s Hospital says. “One thing that is non-negotiable is that all data must be stored within U.S. borders. That’s something that should be covered in the business associate agreement,” he notes.
Beth Israel Deaconess’ Halamka, in a blog post earlier this year, says that the SaaS model is generally good, but he cautions that most SaaS is neither private nor secure. He notes that current policy mandates require a provider organization to find a cloud hosting firm that will indemnify it against privacy breaches caused by security issues in the SaaS hosting facility. Cloud computing can be done successfully, but SaaS is only as good as the privacy connections put in place by the provider, and performance is only as good as the provider’s network connection, he says.
Mac McMillan, national chair of the HIMSS Privacy and Security Task Force (and CEO of the Austin, Texas-based Cynergis Tek, Inc. consulting firm), notes that the private cloud, whether hosted or on-site, offers a much greater degree of control for the provider organization that is using it, compared to the public cloud. “They know where their data is, they know who has access to it, and they have better control over the resources around it and the rules around it,” he says. In his view, the public cloud is not designed to support a heavily regulated or heavy security related environment such as healthcare, and is not suited for storage of clinical information.
Recent policy changes have put more pressure on healthcare provider organizations as well as cloud service providers, MacMillan says. Because of changes to the HIPAA Omnibus Rule, cloud service providers have now been designated as business associates with responsibilities to support the covered entity, he notes.
He observes that there are quite a few changes that relate to the vendors, but also to the covered entities, in terms of whether the cloud vendor they are working with has the ability to respond to them in an effective manner. Cloud vendors “have to be cognizant of what’s happening to the information and supportive to anything the provider needs in terms of responding to their compliance requirements. They have to have all of the same security controls and the same security measures as the provider has, with regard to that data,” he says.
McMillan notes that some smaller entities depend on cloud vendors for more than hosting the data, to manage their EHRs for them as well, often responding to requests. In those types of partnerships, the vetting process to evaluate a vendor should go beyond meeting basic security principles, to managing the covered entity’s managed environment, he says.
Before entering into a contract, a hospital should consider how the vendor will be used, and what services it will be providing beyond data storage, and how those added responsibilities should be covered in a service level agreement, he says.
McMillan also advises hospitals to make sure they have, in their business associate agreements, a provision that says if there is any change in the material environment, or if the vendor decides to change their business model, that they notify the hospital beforehand so they can assess the effect their data.
Daniel F. Gottlieb is a partner in the law firm McDermott Will & Emery, based in the firm’s Chicago office, who leads the health information technology and data protection practice. He says policy changes to the HIPAA rule have put greater emphasis on privacy and security than in the past. Added to that, recent press accounts of hacking and data breaches have raised the awareness of the issue on the part of the hospital’s management and boards of directors.
Daniel F. Gottlieb
Gottlieb urges hospitals that are considering signing on with a cloud vendor to check references. “Due diligence is very important on the front end before entering into a service level agreement,” he says. Under SaaS agreements, it may be difficult to migrate data to different software or to a different vendor if things go awry, he notes.
He recommends making sure that the vendor has a comprehensive set of security policies and procedures that are at a minimum HIPAA compliant. He suggests hiring a reputable security consultant to review the contract under an agreed upon set of standards. He also recommends that the provider organization obtain a copy of the vendor’s security policies or at least a summary of their security measures.
THE CLOUDY ‘FORECAST’: HERE TO STAY?
Children’s Hospital will continue to leverage cloud-based technologies for the foreseeable future, according to Larson. “I certainly expect that our internal private cloud will continue to expand,” he says. “We will always be open to vendor-based cloud solutions that meet our needs.” He also notes that Children’s Hospital is now in the process of developing a longer term strategy for its cloud usage. “My expectation is that we will continue to build in the cloud, and over time we will look at appropriate opportunities, where we can move things to the cloud,” he says.
John Halamka, M.D.
Another reason for the cloud’s long-term prospects in healthcare is the flexibility it offers for disaster recovery purposes. Larson notes the feasibility of extending the private cloud to a co-location facility offsite from the hospital for disaster recovery purposes. “We, like a lot of other organizations, are landlocked with our data center space, and we can’t endlessly build data centers,” he says.
In addition, the cloud is viewed by some as an enabler for mobile technology, if only indirectly. Dan Morreale of Riverside says the cloud helps the mobility challenge. “With the mobile and cloud-based data, I don’t have to worry about the infrastructure for connecting the mobile device to the data.” In other words, access to the data is not necessarily dependent on the hospital’s wireless network, he says.
Halamka of Beth Israel Deaconess, who will be a speaker at the IEEE Computer Society Rock Stars of the Mobile Cloud conference this May in Boston, acknowledges that the cloud and mobile are different, unrelated concepts, but observes that “companies that are forward-thinking enough to offer cloud hosting also offer mobile access to the cloud.”