Building a Basic Understanding of the Healthcare Cloud
When considering the healthcare cloud, organizations must address several technical and regulatory requirements required for both compliance and performance.
“Get to the cloud. Run to the cloud,” Technical Advisor and former Executive Chairman of Alphabet Inc. Eric Schmidt recently told attendees at the annual conference convened by the Healthcare Information and Management Systems Society (HIMSS) in Las Vegas in early March 2018.
“Most of you sit in institutions that have proprietary data centers which have some sort of logic about them. Most of that logic may have been true five or ten years ago, but it isn’t today,” he continued before noting that his industry has much safer, more HIPAA-compliant, and easier to use cloud-based servers.
The former head of Google and later its parent company Alphabet called on health information and health IT professionals to avoid reinventing the wheel to modernize their IT infrastructure.
“The cloud is more secure. I don’t want you repeating the infrastructure work that we’re doing. I want you all to focus on the innovation,” he implored the audience.
According to data published by HIMSS Analytics, healthcare organizations have already found solid footing in the cloud. Two-thirds of IT leaders from health systems, hospitals, and other large healthcare organizations reported that they currently utilize the cloud or cloud services at their facilities. The bulk of healthcare cloud use is to support clinical application and data hosting, data recovery and backup, and hosting of operational applications.
Clearly, the healthcare industry has already heeded Schmidt’s advice. But the cloud is much more than an environment for hosting applications and data. Healthcare organizations have only scratched the surface of the potential for a shared pool of configurable computing resources to further benefit their organizations. Little more than half of respondents to that same HIMSS Analytics study (52.4%) considered the cloud as a means to leverage managed services. Even fewer (36.5%) gave consideration to virtual servers or security when thinking about the healthcare cloud.
The cloud isn’t one thing, which is why it’s important for healthcare organizations to understand the basics before rushing into it.
Types of cloud and services
The terms private, public, and hybrid when applied to the cloud denote how the pooled resources of networks, servers, storage, applications, and services are shared.
For the first, a single company owns the computing resources and therefore retains exclusive control over its use. The public cloud is available to multiple tenants that use the same hardware, storage, and network devices via an internet connection and pay for their usage, with costs based on capacity employed. However, the cloud service provider dictates data architecture configuration, security, and availability of services. The hybrid cloud is a combination of these two where more sensitive, critical data and applications live in the private cloud, and the public cloud manages higher-volume assets that are relatively low security risks.
Three other terms frequently accompany discussions of the cloud — Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) speak to the services delivered via the cloud. IaaS is the most limited model, comprising servers and storage, networking firewalls and security, and the physical data center. PaaS adds to that mix an operating system, development tools, database management, and business analytics. SaaS encapsulates them both with hosted applications as an additional component. Cost is a leading prohibitive factor for choosing deployment and service models. The more control an organization wants over hardware, storage, and network devices, the higher the price.
Returning to the HIMSS Analytics study, the vast majority of healthcare organizations (87.8%) reported using SaaS for hosted applications; roughly half (53.7%) IaaS for storage, backup, and computing services; and about one-tenth (9.8%) PaaS for developments environments. According to researchers, IaaS saw the largest increase in adoption over previous years, noting that “organizations seem to be moving more toward this virtualized resource model to allow for additional flexibility and scalability in a number of areas, such as storage, data backup and computing services.”
Cloud benefits for healthcare
“Healthcare organizations don’t want to be in the business of maintaining data centers.” That is a common refrain heard across the industry.
In 2017, the Cloud Standards Customer Council (CSCC) updated its guidance on cloud computing in healthcare and included a look at the three primary benefits of the cloud for the industry: economic, operational, and functional.
First, there are the economic benefits of the healthcare cloud to reduce IT costs. “Heavy capital expenditure can be avoided, because IT resources are acquired on demand as needed and paid for as an operating expense. Also, the cost of staff resources required to deploy and maintain IT resources are included in the cost of cloud computing,” the authors wrote.
Second, the cloud offers scalability and flexibility to meet demand.
“Cloud service provider data centers are typically highly secure and well protected against outsider and insider threats using administrative, physical, and technical methods implemented and maintained by expert professional staff,” the authors explained. “Cloud services can offer sophisticated security controls, including data encryption and fine-grained access controls and access logging. Medical systems built using cloud services can provide web access to data, avoiding the need to store information on client devices.”
Third, cloud makes its services available to healthcare organizations using standards-based protocols over the internet, which streamlines connections to other systems and applications and the sharing of information securely. A web-based approach also supports remote access no matter the device (e.g., mobile). “These services offer the opportunity to extend the capabilities available to health organization staff in order to implement better ways of working and to offer new services to patients,” authors added.
The CSCC guidance also noted that cutting-edge tools can be more easily integrated into a cloud environment, leaving the door open for future IT innovation to get swiftly into the hands of providers and patients.
Cloud considerations for healthcare
When considering a move of data and applications into the cloud, healthcare organizations must be mindful of a handful of concerns that a poorly-deployed model could present.
The Health Insurance Portability and Accountability Act (HIPAA) and related regulations set stringent rules for covered entities and business associates. As a result, healthcare organizations must work with cloud service providers to establish contractual agreements with strong and specific emphasis on the safeguarding of protected health information (PHI) and other sensitive data. This concern for health data security and privacy should extend to include knowledge of where PHI is stored, how it is handled, and who is accessing it.
These organizations must then follow through with holding their cloud service providers accountable for maintaining compliance with various regulations pertaining to PHI and health data. “Implementation of certain operational and control aspects of securing ePHI is done by the CSP [cloud service provider]; however, ultimate responsibility for compliance always resides with the healthcare entity,” the CSCC guidance warned.
Moving to the cloud makes uptime a critical factor. CSCC advises healthcare organizations to identify and define key performance indicators on a regular basis to address service reliability. Pursuant to HIPAA, covered entities have a responsibility to protect health data as part of disaster recovery activities. These organizations also need assurances from their cloud service providers about system and software updates and upgrades that are critical to operational performance and security.
Lastly, healthcare organizations considering the cloud need to examine the standards maintained by cloud service providers to support data integration, interoperability, and portability. Standards-based cloud data architecture will ensure that various bits of data from myriad departments are available to end users. With an eye to the future, these organizations should also consider how they will move their data and applications to another cloud service provider should the need arise.
The cloud is a popular term, but as with popular terms, misconceptions and misunderstandings are soon to follow. While many healthcare organizations are moving to the cloud and plenty are still determining what their plans will be, all will need to have a firm understanding of the various offerings and their implications for the individual health organization. A lack of due diligence could easily lead to performance issues, or worse, a breach of highly sensitive information.