The cloud has become ubiquitous in American business, including healthcare. It provides easy, universal access to data and systems, big plusses when dealing with large workforces and needed IT. But security remains a nagging question: Is the cloud secure enough to hold a healthcare organization’s precious data and applications? And how does a healthcare CIO balance security and ease of use?
And – and this is a big one – how does the CIO explain all this to his or her colleagues in the C-suite?
As technology becomes more of a commodity and more agnostic to the industry – in other words, less unique to healthcare – there is less of a need to own some of the technology in the traditional holistic manner, said Eli Tarlow, vice president and CIO at Brookdale University Hospital and Medical Center in Brooklyn, New York.
“So owning your own data center in a hospital is less a requirement than it was 10 or 20 years ago,” he said. “In fact, space is a necessity in hospitals, space that was previously occupied by a data center, by things that now can be hosted in the cloud.”
The experience of cloud vendors
Cloud companies have been providing services to banking, finance, e-commerce and other industries, and that has showcased good experience over time.
“Because security around healthcare can be marginally more important than other things, the challenge now is to explain clearly to the C-suite that their healthcare security will be just as secure as it was in their own hospital in the past,” Tarlow said. “If there is fraud around credit cards, then it is a one-time thing, then a card can be canceled, and so on. But if healthcare is a problem, you cannot pull it back in. It is hard for colleagues in the C-suite to accept that it still can be completely secure if not greater security than in our own building.”
When one hears the term ‘cloud security,’ the two words do not naturally go together, said Cletis Earle, senior vice president and CIO at Kaleida Health, a four-hospital health system based in Buffalo, New York.
“When you think of cloud, you don’t natively think of security,” he said. “But we’ve come to a conclusion that the cloud has now been able to have a more resilient process than we ever have because companies like AWS have invested a significant amount of dollars to bolster a solution that is somewhat secure. Today, the world is much more mature.”
The cloud has a ways to go; some of the major cloud vendors have this year had some issues where their systems went down, and that is a challenge, Earle said.
“But even though it is more mature than a few years ago, we are still at somewhat of an infancy stage in the coupling of cloud and security,” he contended.
Limited security resources
But the situation is very different for James Wellman, CIO at Comanche County Memorial Hospital in Lawton, Oklahoma, where things revolve around his current situation – limited security resources. So he relies on strong business associates agreements, contracts and service level agreements to place his organization’s applications in the remote-hosted, cloud environment.
“We feel that AWS, Google and other cloud systems are able to provide a much better security standard than we can locally,” Wellman said. “This may not fit into an organization with a strong security team with adequate support, so I don’t feel there is a one-size-fits-all answer, it always is going to be situational.”
"Just because it is in the cloud does not mean it is actually going to be cheaper for organizations."
Cletis Earle, Kaleida Health
The cloud is the best scenario for Comanche County; the organization has been moving farther down the cloud path for the past four years, and to date it has been a success, he added.
Security is such a key consideration for healthcare CIOs – and for CIOs to explain to their C-suite peers – in part because of the lure of the cloud, which is ease of use.
“Ease of use, for us, is access to applications and a higher level of uptime,” Wellman said. “As more applications become available that are web-enabled, this allows us to create an easier access profile for our users. Using this with a virtual desktop allows us to create a user experience for our providers that is the same regardless of device type and location.”
Wellman and team can swap a faulty device and get the affected user back to work instantly because they no longer have to spend time installing and uninstalling applications for each location or user. They use this in coordination with a token and two-factor authentication to provide a secure access process, especially when a user is outside the facility.
A bigger team with the cloud
From a technology perspective, ease of use means the CIO has an expanded team with a greater focus on the technologies successfully hosted in the cloud, said Tarlow of Brookdale University Hospital and Medical Center.
“When you own the infrastructure and systems locally, you have to have a team in-house that is fully dedicated to your technologies,” he explained. “When things are in the cloud and you are getting the economies of scale from a cloud vendor that hosts many customers, it is easier because you have greater depth in the team.”
A CIO is not worried if someone calls in sick or is tied up with other work – theoretically, the CIO can pay per drink, have his requirements as he needs them without having to be concerned with building and keeping the team, Tarlow said.
“You are giving away that headache,” he said. “And it is easy from a scalability standpoint. Because your cloud vendor has multiple customers, you can scale up or down a lot quicker because they have the resources available to support many. Ease of use means quicker and less expensive for the team. IT is a partner, an enabler, and if things are hosted traditionally onsite, then it can be slower to market, so to speak.”
When it comes to ease of use, for Earle of Kaleida Health, the first thing that comes to mind is having office productivity products – word processing programs, Excel spreadsheets – out in the cloud.
“It’s truly kind of a set-it and easy-to-manage process, but it’s not necessarily cheaper,” he said. “I naturally go to the ability of using cloud in solutions like that, that organizations are much more receptive to. But just because it is in the cloud does not mean it is actually going to be cheaper for organizations.”
Click on page 2 below to read about long-term costs and much more.
Long-term cloud costs
The long-term costs of managing cloud services must be considered. Something can be very easy to use but is not feasible from a cost control perspective.
“Theoretically you do not want to go down the road of using a cloud solution just because it is easy, because it might come with a cost uplift,” he said. “Easy does not always translate into how things are operationalized, hence how things are paid for and managed and budgeted.”
So while ease of use is indeed a consideration, it seems like the big question still comes down to what can healthcare CIOs really put in the cloud today? On the security front, what data and applications can exist in the cloud?
Since 2013, Brookdale University Hospital and Medical Center’s electronic health record has been in the cloud.
“We are very careful with our patient data, we have taken a strong stance on the security aspect of that, constantly making sure that it is as good if not better than self-hosted,” said Tarlow of Brookdale. “Our ERP system is in the cloud, many of our ancillary systems have been in the cloud for five-plus years. Our interface engine.”
Technologies the provider organization has not yet moved to the cloud are ones that are heavily dependent on bandwidth, and that staff are not yet fully comfortable with the speed of moving these last systems to the cloud. Staff are strategizing on how to move them to the cloud.
Nearly everything to the cloud
Wellman of Comanche County Memorial Hospital said they are on track to move just about everything to a cloud/remote-hosted setting with very little left onsite.
“This currently includes our ambulatory applications, financials, time and attendance, and as we move to a new acute care application, we are requiring it to be offsite,” he explained. “We are in the process of selecting a new acute care EHR and we expect it to be offsite as well. In the past we felt the interfacing and processing power should all be local, but as we have experimented over the years we felt this is no longer an issue with speed, assuming you have robust ISPs with multiple pathways to reduce the chance of excessive downtime.”
These three healthcare executives are generous when it comes to what they feel a healthcare organization can put in the cloud. Is there anything they feel should not be in the cloud?
"We are very careful with our patient data, we have taken a strong stance on the security aspect of that, constantly making sure that it is as good if not better than self-hosted."
Eli Tarlow, Brookdale University Hospital and Medical Center
“We really have not found anything that cannot go to the cloud, although some associated performance issues could cause you to not pursue it wholly,” Wellman said. “For example, we see the benefit of pushing our DICOM images to the cloud, but only in a hybrid design where we have onsite equipment that can receive from the modalities and then push the image to a cloud without causing a delay in that process.”
A good hybrid design would allow the organization to appropriately size and maintain the onsite storage to build an image cache and allow for pre-fetching larger images to avoid excessive wait times when a provider wants older images for comparison such as mammography, he explained.
“I would also like to point out that this model is preferable to our facility because we are in tornado alley on the Oklahoma plains, so this is a big part of our disaster recovery and business continuity plans,” he added. “It is easier and much more affordable for us to establish emergency network connectivity than it is to build or contract for a fully functional secondary data center. That played a big role in our decision to move toward the cloud.”
Still some concern among CIOs
Right now, healthcare organizations remain slow to adopt cloud methodology for the use of protected health information, contended Earle of Kaleida Health.
“Among the reasons why is that there has to be a constant that the data does not leave the United States or countries that value intellectual property and patient confidentiality or sensitive data,” he said. “Until the businesses can guarantee that your data does not move outside of the areas and controls or some kind of geo-fence of that data, it becomes less and less practical that healthcare providers would whole-heartedly put their sensitive data into the cloud.”
It is starting to happen, though. Cloud companies now are starting to accommodate PHI and related rules and practices, he said.
“They are starting to put those guardrails onto the data, but there still is some level of hesitation among CIOs around the country to adopt the cloud solutions until there is much more comfort around the resiliency of that data within the cloud,” Earle said. “There has to be some level of breakthrough when it comes to the vendors that are offering cloud services and their complete understanding of how health delivery organizations operate and do all of the constraints.”
What should a CIO say to concerned peers in the C-suite asking questions about security? Tarlow of Brookdale University Hospital and Medical Center points to some standard activities within the IT department.
“We do routine audits on this every single year; we run a security audit against it to make sure,” he said. “But I would reverse the challenge and say what if it’s onsite, what additional technologies, personnel, bells and whistles, would we have onsite that we do not already have in the cloud? Aside from someone breaking into our building, but we have security guards and I assume all of the cloud vendors have security guards.”
Cloud vendors have deeper pockets
The cloud vendors can afford the redundancies that individual healthcare organizations may not be able to afford independently, he added.
“I would educate the executives on the risks and hazards and on the benefits of doing it onsite versus offsite, so they can really learn,” he said. “It is a scary world out there. It’s really about becoming the most secure.”
He added that he was CIO at Bellevue Hospital during Superstorm Sandy. The majority of that organization’s systems were offsite, including the EHR, he said.
“The hospital was challenged, patients were discharged to other hospitals because we had to evacuate,” he concluded. “It helped us that our EHR was hosted remotely. These are not things in our dreams anymore, these are things that are really happening. And they are validating our strategy.”
Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com
Focus on The Business of Healthcare
In December, we take a deep dive into what top business decision makers need to know about digital transformation.
