More hospitals are looking to the cloud as a viable way to store clinical, imaging, and financial data. Experts acknowledge its advantages, but caution it’s a step that requires careful planning and vetting of potential cloud vendors.
As healthcare IT leaders move forward with digitizing their electronic records, cloud computing is increasingly being considered a viable option for many provider organizations. The biggest upsurge of interest in the cloud has coincided with the digitization of clinical records.
As noted by Richard Temple, executive consultant at Beacon Partners Inc., Weymouth, Mass., computerization in provider organizations has shifted, from an initial focus around financial systems, to attention to clinical systems. With that shift, hospitals are faced with more stringent requirements for uptime, redundancy, and performance. Put simply, clinical data must be available any time, anywhere, Temple says—a higher standard than exists with financial data. “Hospitals aren’t necessarily geared up to be able to support a computing infrastructure of that magnitude,” he says.
Enter cloud computing, a growing service that many hospitals are embracing, and which experts interviewed for this story say offers new opportunities for sharing and leveraging data for new healthcare models such as health information exchanges, accountable care organizations, and secondary uses in research.
But there is a catch: moving data to the cloud by definition involves relinquishing direct control over data, and with it comes substantial risk in terms of performance, privacy, and security. Yet liability for anything that goes wrong on any of those fronts falls squarely on the provider organization, and of course, more specifically on the CIO and his or her team.
PUTTING IN PROTECTIONS
Temple and others interviewed for this article stress the need to thoroughly vet a cloud vendor, and to have iron-clad service-level agreements in place that specify performance expectations and guarantees, before signing any contract. At a minimum, one must make sure that the cloud vendor has SSAE-16 (formerly SAS-70) certification that requires that the cloud host will adhere to best practices at a very high level, he says.
He also advises having a good business associate agreement in place that ensures that data is secured, backed up and encrypted. He recommends that the hospital should have the right to conduct audits and require the cloud host to send the hospital an attestation of continued compliance on an annual basis. He adds that the hospital should have the right to approve subcontracting, and to ensure that it will be compliant with the Health Information Portability and Accountability Act (HIPAA).
Temple recommends confirming that there is a disaster recovery plan in place. It’s important to know how the data is stored off site, and how quickly it can be recovered in the event of a disaster, he says. When it comes to disaster recovery, hospitals should strive to be recognized as a partner. This means obtaining a guarantee that the cloud vendor’s IS group will work with the hospital to recover the data, and participating with the cloud vendor in any disaster recovery drill.
Diana McKenzie is partner and chair of the Information Technology and Outsourcing Group at Hunter, Maclean, Exley & Dunn, P.C., Savannah, Ga. “The cloud is great, but the trick is that the customer doesn’t have control of their data, and yet it is still legally responsible for it,” she says. Her advice, especially for providers that are new to the cloud, is to not forget the basics. Often, “when we get into these newer contracts, clients are excited about the newness of it and forget about the basic things they always need to protect. All the things you always needed in every other IT contract, you need here too,” she says.
She advises getting a lawyer or consultant (preferably one who has lots of experience in healthcare) involved in putting together an RFP, and to include legal questions about risk mitigation and liability for the vendor to respond to. “You want the information for competitive reasons, but it will also give you a good sense of how comfortable they are in protecting your data, and what they are willing to commit to in writing,” she says.
McKenzie says there is no substitute for due diligence when evaluating vendors. “You have to put out requests for proposals to see what vendors can and cannot do, and compare them,” she says. She recommends using social media to get feedback from a vendor’s existing customers, a tactic used by one of her clients. “Tweet, use social media; user groups and conferences are also helpful, as well as basic online searches,” she says.
In the regulatory arena, she advises healthcare providers to make sure that cloud vendors are able to comply with state privacy laws, which vary greatly from state to state. Hospitals have to comply with the state laws, where the patient lives, she notes. “Hospitals located in resort areas or offering a specialty may treat many patients from out of state, and must comply with many different laws. You have to make sure your cloud vendor is capable of doing that,” she says.
TESTING THE WATERS
Despite the litany of precautions, the cloud is making inroads with healthcare organizations.
Scott MacLean, deputy CIO of Partners Healthcare in Boston, says his organization is taking a cautious approach to the cloud. “Like most healthcare customers, we are intrigued by it, but we haven’t moved anything to the public cloud” yet, he says. Partners has one major cloud-based application in revenue cycle management that is hosted at the vendor site (Siemens Healthcare, Malvern, Pa.), which he describes as a private, corporate hosting arrangement; as well as software-as-a-service applications, with appropriate business associate agreements, at the departmental level, he says.
In MacLean’s view, the decision to move to the public cloud depends on three factors: cost, flexibility, and security. He adds that Partners recently did an analysis of using the public cloud for disaster recovery and concluded that, based on its concerns about price and security, the health system did not want to pursue it at this time. But he adds: “We do feel that, in the next couple of years, there will be applications where we can come to an agreement with a [cloud] provider to use that.” Those applications will likely be non-clinical, he says.
“Putting PHI [protected health information] on the cloud is not something we are ready for,” he says. “There is not a level of remediation with a [cloud vendor] if we have an incident. They are not going to get the black eye in healthcare; it’s going to be us.”
Johns Hopkins Medicine is using the cloud for enterprise-wide imaging. James F. Philbin, Ph.D., is co-founder and chief technical officer of Peake Healthcare Innovations, a joint venture between Johns Hopkins Medicine and Harris Healthcare Solutions, Melbourne, Fla. Prior to co-founding Peake, Philbin, who is a computer scientist, was senior director of medical imaging informatics for John Hopkins Medicine.
Peake was formed to provide a cloud-based solution for managing and sharing images across any enterprise, Philbin explains. The PeakeSecure solution is first being implemented at Johns Hopkins Medicine; Hopkins has been expanding its imaging archive for the last six years, part of a strategy to store images from all the hospital system’s medical specialties in a single replicated archive and make them available to all clinicians using the same viewer, he explains.
As the Hopkins system expanded from three to six hospitals, it began to receive more transfers of complicated cases from community hospitals, Philbin says. “We wanted to get an aggregated imaging record that included all of the ‘ologies’ across all of the hospitals and all of the outpatient centers, and make them quickly available wherever they were needed,” he says. “Because of remote visualization, we can do that more effectively from the cloud than we can by solely using thin clients or workstations.”
James F. Philbin, Ph.D.
Working through Peake, Hopkins is rolling out the imaging archive for two hospitals as a private cloud in its own data centers. The goal is to expand it to the remaining hospitals during the next year, Philbin says. Peake is in the process of transitioning the imaging archive to public data centers, and is close to signing an agreement with a third-party cloud vendor, he says. Peake, which presently stores three copies of each image in two of Hopkins’ own data centers, will move the third copy of the image to the public cloud, with Peake having oversight over hardware, software, and security. The applications will have the ability to fail over to the other data center, providing good reliability, he says.
“We explicitly designed our cloud as a medical cloud to handle the needs of medical information,” Philbin says. By law, images have to be kept for seven years, even though they get accessed less over time. Peake stores the images on hard disk, which spin down when the images are not being accessed, saving cost and energy use, Philbin says. Image data is encrypted at rest—as they are sitting on disk or in a file—so even if someone penetrated the data center, they wouldn’t necessarily be able to view patient data, Philbin says. The imaging data resides in the cloud, not on the desktop. “From a HIPAA point of view, it’s much more secure,” he says.
He adds that Peake is establishing partnerships with PACS vendors to build virtual “machines” to take advantage of its infrastructure that provides a vendor-neutral archive, while also providing choices of the best systems to healthcare facilities.
Philbin is very enthusiastic about the cloud. “From my experience running imaging archives across hospitals, I realized that the cloud could be leveraged in a way that could significantly improve access to images,” he says.
Looking over the longer term as the cloud gains traction across more applications, he sees the cloud’s real value as an aggregated medical record that can lead to better patient care across providers; as well as an important research opportunity, providing aggregated medical records for large patient populations. “I think the cloud will not only save money and improve care, but provide research breakthroughs in the next five years that we would never be able to do without aggregating that information,” he says.