As more provider organizations look to the cloud computing model, they face a host of security-related questions. What are the appropriate applications for the cloud, what is the best cloud model, and what do they need to know to choose the best vendor? Hospital CIOs and security experts weigh in.
From a purely business perspective, cloud computing makes a compelling case for healthcare providers. After all, the on-demand, pay-as-you-go cloud model offers a way to reduce the costs of applications and storage-no small matter for hospitals faced with challenges to maintaining revenue margin health.
Yet security issues weigh heavily on any decision to take advantage of the cloud platform. This was a key finding in a survey conducted last May by CDW LLC, a technology solutions and services firm in Vernon, Ill. The poll assessed current and future cloud computing use in healthcare, business, government, and education, and found that 28 percent of organizations (across all industries) use the cloud today in some capacity. Security issues were the number-one concern that could hold back their organization from either adopting or further implementing cloud computing.
It's worth noting that compared to all of the business sectors surveyed, healthcare organizations take the most security measures, according to Nathan Coutinho, manager of enterprise server, storage, and virtualization solutions for CDW, which he attributes to federal HIPAA mandates. Indeed, proposed rules from the Department of Health and Human Services' Office of Civil Rights pose questions around auditing of data that is stored on a vendor's cloud service, and some see more rigorous enforcement under HIPAA, including random audits of privacy and security safeguards by providers and their business associates.
Hospital CIOs have expressed serious concerns about placing protected health information on the cloud; indeed, their concerns with cloud storage outstrip those around other types of applications such as image storage and productivity software, although data breaches are always a concern. Nonetheless, for the provider, using a cloud service means letting go of direct control of their data. Those that use cloud services say they did so after careful evaluation of the cloud model and vetting of the cloud vendor.
IN THE CLOUD, I CAN'T NECESSARILY TELL YOU WHERE EVERYTHING IS. IT'S THAT UNCERTAINTY THAT CREATES THE GREATEST ANGST. -DAVID MUNTZ
PUBLIC OR PRIVATE?
The very term cloud computing, a catchall phrase that embodies various models, has led to confusion in the marketplace, according to David Muntz, senior vice president and CIO of the 14-hospital Baylor Health System in Dallas: “The term confuses people, and it creates, in some people, a sense of comfort that they can put information on the cloud, get services out of the cloud, and not have to know where anything is coming from.” His concern goes to the heart of security issues of the cloud. “In the cloud, I can't necessarily tell you where everything is,” he says. “It's that uncertainty that creates the greatest angst.”
Mac McMillan, chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy Steering Committee, believes that cloud security is an important issue that deserves more attention-so much so that last spring his committee decided to set up a workgroup to focus on the issue. “There are a lot of people knocking on people's doors promising savings ‘if you move your stuff on to my cloud.’ We need to find out what ‘my cloud’ means,” he says.
The cloud's distributed model of storing data in a way that does not associate the storage device with the application server itself is a smart approach for healthcare organizations, McMillan says. Because the data can be distributed, hospitals can reduce the amount of storage hardware it needs to support its environment, he says.
All of that, of course, hinges on choosing the appropriate cloud model-and reliable vendor-that will maintain the security of the data. There are a variety of cloud models that fall within two extremes, notes McMillan, who is also CEO and owner of CynergisTek Inc., an Austin, Texas-based IT security firm. And job number one for health providers considering the cloud is to identify the type of cloud that they may be doing business with, he says.
At one end is the truly distributed model, in which the cloud vendor is essentially an aggregator with contracts to other cloud vendors that have excess capacity in their data centers and are willing to lease it out. That model is high-risk, because the customer has no control over where the data is stored and there is probably no way to audit the data, he says. At the other end are large data centers owned and operated by a single cloud vendor. That model is far more secure, is compliant with the Statement on Auditing (SAS)-70, physically protects and monitors data, and allows data to be audited, even though it is distributed within the facility, he says. And, if one does not want to go the third-party route, an organization can build and operate its own cloud.