Cloud Computing: A Good Fit?When Should Healthcare Organizations Turn to the Cloud?
At a time when healthcare organizations are overwhelmed by the storage demands for diagnostic images, research data and other electronic information, cloud computing offers an efficient, secure option.
This is the posture of David Finn, Health IT Officer for Symantec. In an exclusive interview on the promise of cloud computing, Finn discusses:
- Cloud benefits for healthcare organizations;
- Security and privacy considerations;
- How to get started in a cloud initiative.
Finn, CISA, CISM, is the Health Information Technology Officer for Symantec. Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children's Hospital, the largest pediatric integrated delivery system in the United States. He also served as the Privacy and Security Officer for Texas Children's. Prior to that, Finn spent seven years as a healthcare consultant with IMG, Healthlink and PwC, serving last as the EVP of Operations for Healthlink.
Finn has 30 years experience in the planning, management and control of information technology and business processes. He is focused on enabling operating efficiency and deriving business value through the optimization and control of technology. His key skills include IT Governance and Control, Project Management, Systems Selection and Implementation, Business and IT Partnering, and IT Audit, Control and Security.
TOM FIELD: David, just to give us sort of a baseline here, how would you describe the state of cloud computing in healthcare today?
DAVID FINN: Well, cloud computing in healthcare is in its exploratory and kind of early development phase. At this point in time, we're seeing a lot of healthcare providers who are still in the process of understanding the cloud paradigm and formulating their own cloud strategies.
In other industries, we see the cloud as the mature reliable model for IT service delivery, and one of the reasons for this lag in healthcare, I think, is there is still a lot of discussion about what cloud computing is. There are a lot of opinions on cloud computing, and what it is or isn't, and whether it is a sea change or just another technology fad. When I talk to health IT departments, my suggestion is: Don't get hung up on definitions or terminology. Don't focus on the jargon of whether something is cloud computing, software as a service, infrastructure as a service or just another buzzword, but focus on changing the IT equation. The world of computing is really moving away from the on-premises IT model where you keep buying servers, and you keep buying software licenses, and you keep buying storage as your business grows. Cloud computing disrupts that conventional model and opens a new information technology path for business. So, you have these clouds, if you will, of computing power accessed over the internet, and they become your datacenter. Among the clouds, you'll find inexpensive storage that users can access on demand from any location on virtually any kind of device.
Easing Capacity ConcernsFIELD: Well, you make a good point that segues into my next question. One of the things we see consistently is that healthcare organizations face a shortage of storage capacity for things such as diagnostic images, research data, and other electronic information. Where can cloud computing help out in addressing that storage capacity issue?
FINN: Well, increasing secure storage capacity and lowering cost seem like mutually exclusive propositions in the healthcare industry, but the cloud can provide you virtually unlimited storage at a fraction of the cost of doing it yourself, and you can do it faster, cheaper, you can free your own resources. It is a secure if not more secure than your own datacenter, and once it is in the cloud, frankly, it's easier to share on top of that.
Most healthcare organizations today can't just keep adding storage capacity to keep up with medical image archive, for example. We find that medical images are about one-third of a hospital's storage requirement, and the exponential growth in these image sizes and the volumes of the images they are taking translates into more storage and more space in the datacenter. And the datacenter is already probably an all-time premium, so we're seeing that while the cost of a terabyte for hardware is on the decline, the cost of personnel to manage and keep up with that storage and the hardware and the power in cooling cost are actually on the rise. You've got bigger images, more images, you've got longer retention periods, so while the per terabyte cost declines, the number of terabytes you need to store is growing exponentially faster than that.
We already know that capital budgets are down from two years ago, and any relief in capital dollars in healthcare is generally being pushed into electronic medical records or other clinical systems. So in addition to adding to your storage farm, assuming you have the capital dollars to do that, you're also increasing your operating cost on an ongoing basis. So the cloud offers real relief from that. And the other piece is the cloud gets that off of your plate to deal with, whereas if you are doing that in-house and on-premise, when you reach life cycle on that storage you start the same cycle all over again.
Cloud SecurityFIELD: Now, David, as you know, some organizations -- and not just healthcare organizations -- have been reluctant to embrace the cloud because of their fears about whether the approach provides adequate security protections. How do you address this concern about security?
FINN: That is a great question, Tom, and I've got an analogy here. I want you to go with me for just a minute. Most of us live in our houses with our families, and we've got our spouses, our kids and our dog, and we put locks on the door, and we may put on special windows, and we keep all our stuff in our house. But most of us have documents or things like birth certificates and wills and deeds, and there are things we absolutely have to have that are very important, but we don't keep those in our house. We don't need them very often. We just want to be able to get them when we need them, and we want to make sure they are safe. So we trot those down to the neighborhood bank and put them in a safety deposit box, and to me that is no different than what we're proposing with cloud storage. It is stuff you don't need on a regular basis, but you can't get rid of it. You have to be able to get it when you need it, and so move it to the cloud.
You can think of the cloud as a safe deposit box rather than a soft fluffy thing where you are putting your storage. One of the concerns we hear about cloud from many people who are starting to look at is they lose visibility, and it's the same issue as again a safe deposit box. You put something away down the street, and you can't see it every minute, but you know and trust that bank, and when you go there you see the vault and you've got the special little key and someone else has to have a special little key, and it's really kind of the same thing. We give you visibility into what you've put out there. You can monitor it real-time, and any cloud provider should give you that ability. You should know what is going on with your data and what you've put out there, but it's not going to be on your site. You don't have to lose sleep about it every minute someone else is taking care of it.
FIELD: Well let's go with that image, David. If an organization wants to share with others the data or images stored in the cloud or in the safety deposit box, as you say, how can that be accomplished without jeopardizing the security? Because the individual can't be there necessarily watching that safety deposit box?
FINN: Well, from a sharing prospective, I think it just makes sense. Once something is in the cloud, it is easier for other people to get it. What you don't want to relinquish is your ownership of that ability. You need to have a good understanding with that bank or with that cloud provider on how you do that. And security isn't just making sure that something is locked up and safe; it's making sure that the right people can get the right data when they need it. So, you want to make sure that you are not disrupting your clinical or operational work flows in the hospital. You want to make sure that the data is being moved in a way that doesn't change how you are doing business, or changes it the way you want it to be changed, and then you want to make sure that when moving it into the safety deposit box, if you will, that the data is protected. You want to make sure it is encrypted while it is in transit to the datacenter. You want to make sure that it's encrypted when it is stored there, so even the people who are taking care of it can't see that data,. You want to make sure that is stored in more than one location in the cloud. And you want to make sure that the process is redundant, so you want to look at things from your cloud provider to make sure that there is active gateway system for that data to move up to the cloud. You want to make sure the data is synchronized between the redundant gateways you are using. You want to have fail-over, heartbeat monitoring of your system and the systems in the cloud. You should have access to it. It goes on and on. It's really no different than what you would do for a system of your own in-house. It's just that you are going to be working with a partner to make sure that you've got the security you want around your data.
HER ImplementationFIELD: Now, going into another direction: You mentioned the meaningful use not so long ago. As we know. in 2011 there are a number of hospitals and clinics that are going to expand their use of electronic health records as they apply for incentive payments under the HITECH Act. How does the cloud computing approach to storage particularly support an EHR implementation effort?
FINN: That is a very good question. That is a question we get from providers frequently. Moving things -- moving storage, moving images to the cloud -- per se doesn't get you meaningful use. It's true. But we also know from the HITECH directives and what is coming down the road with security, with privacy, with meaningful use, with having to share data that there aren't going to be enough health IT people. The Office of the National Coordinator estimated there is going to be a shortage of 50,000 health IT experts over the next several years. We're starting to see that already in the market. So the main thing that moving some kind of routine tasks to another source to letting someone else take care of the daily routine pass of managing storage, it frees up your resources to work with the very specific healthcare initiatives that the providers need to be working on.
It can also help you achieve higher levels of privacy and security with those archives, because you don't have to worry about encrypting them and maintaining them, and assuring locally that they are safe and monitored, but someone else can do all that for you and provide you the audit logs and the audit trails should you need them in the event of an issue. And what the encryption that is provided and frequently that is an issue in a provider because you may encrypt some of the data on your site. You may not encrypt all of it, and it is all on a big store, and you're backing up, and do you encrypt everything or do you not encrypt less secure data? But if you can farm that out and let someone else do the encryption, you may actually enhance your privacy and security, which is a requirement under HITECH, as well to have the enhance protection.
So, I think the big thing is you can take some of the burden off yourself and release your people to focus on things that are going to drive revenue, they are going to help you achieve meaningful use directly, and help you share that data in a meaningful ways.
Cloud AdviceFIELD: Final question for you David. If you could boil it down, what advice would you give to a healthcare organization that is just embarking on a cloud initiative today?
FINN: That's a good question as well. When people say "How do I start this search? How do I find a cloud solution?" My answer is this. A successful cloud computing solution is not a technical solution looking for a business problem. A successful cloud solution is going to solve business issues and help you realize your business objectives with a technical solution. In other words, if it isn't broke, don't fix it. Don't think you can make things better moving to the cloud because they are just going to be better. But if you have an operational issue or you have business issues like storage capacity problems and managing back-up and no capital dollars for buying storage, then I encourage people to look to the cloud as a viable option. This is really just another IT project and should be approached that way. There are a few minor differences, but you don't go looking for a solution. You have a problem and now you need to find a solution for it.
The cloud should be considered as well as any other options you have. You need to identify the impacts and limitations of a cloud computing. There are going to be some design issues. You need to understand that cost savings and risk mitigation are primarily benefits of cloud computing, but also how they fit into that equation. You have to understand the total cost of ownership and what a cloud will really save you. People frequently look at storage to storage, but they forget they're paying the power and cooling to add their own storage. They've got a huge upfront capital cost. They have to buy licenses for that storage management software, and so you have to look at and understand the whole cost of that. You need to identify the regulatory and governance requirements, and you have to meet the organization's compliance requirements with those industry rules. HITECH and HIPAA are two, but there are also PCI and state privacy, and depending on what you are storing it may, it may include Sarbanes Oxley. You want to make sure that when you move to the cloud that your IT architecture will work with that cloud, and not disrupt your work flows internally. Again, we've talked a little about adequate protection. So you want to make sure you're getting that, and maybe most important is you need to have a contingency plan for your cloud-enabled services just like you would for any in-house system you are putting in.
So, again we sometimes think of the cloud as new technology and it isn't really new technology. It is just a new model for delivering those IT services. So, you're going to take a little bit different look at it, but you're going to treat it just like any in-house IT project.