Hospitals and the overall healthcare sector are experiencing a major digital evolution that is pushing them to change their traditional ways of information management. To close the gap with their needs and changing IT infrastructure agility, security, compliance, and performance, many organizations are probing for benefits of cloud. The traction of on-demand cloud services along with cloud security have swiftly changed the healthcare sector mindset from “why move to the cloud?” to “what and how should we move to cloud?”
A 2014 cloud survey conducted by HIMSS (Healthcare Information and Management Systems Society) showed that over 83 percent of the healthcare organizations are already reaping the benefit of cloud services. There are numerous studies, like the HIMSS, which conclude that healthcare IT infrastructure and its workloads are moving to public cloud providers such as Microsoft Azure and Amazon Web Services (AWS). A recent study by MarketsandMarkets shows that the global adoption rate of cloud services by the healthcare sector will immensely grow from $3.73 billion in 2015 to approximate $9.5 billion by the 2020, increasing the CAGR (Compound Annual Growth Rate) of 20.5 percent.
“Global adoption rate of cloud services by healthcare sector is expected to grow to $9.5 billion by 2020.” – Study
Global Off Premise Shift and Cloud Disconnect
Along with moving to public cloud, healthcare IT workloads are also moving off premises too. According to report on Impact of Cloud Computing on Healthcare by the Cloud Standards Customer Council (CSCC), these workloads include Clinical Research, Electronic Medical Records, Telemedicine (video conferencing), big data, Analytics, and Health Information Exchange.
This global shift and integration of public cloud IaaS (Infrastructure as a Service) has raised serious concerns for the success or failure of the system. An industry analyst consultancy firm Enterprise Management Associates (EMA) conducted a survey of 400 IT specialists on research ‘Casualties of Cloud Wars: Customers Are Paying the Price,’ to gain insights on the achievements and challenges, and their success and failures. The results showed that healthcare organizations using large IaaS vendors are facing nearly 60 percent failure rates.
“Healthcare organizations using IaaS vendors are facing nearly 60 percent failure rate.” – Study
One of the top research firms, Gartner, also published its report ‘Problems Encountered by 95% of Private Clouds’ based on 140 respondents.
5 Risks Hospitals Face When Moving to Cloud
The fact of the matter is there are many angles by which these failures or problems can be evaluated, but overall there are five major risks hospitals and other related organizations should focus on before moving their IT infrastructure and workloads to any public cloud system.
Overburdened IT Staff
While moving documents, pictures, and other digital resources to the public cloud may require lower costs, knowledge, and planning, but for healthcare organizations moving resources from one point to another is a more complicated task. Unlike on-premises physical plug and play practices, cloud resources are managed via software. Even those staff familiar with the virtualization concept will find the methods of moving to the cloud as a big leap that required specialized training and/or coaching.
Security and compliance risk also overburdens the IT staff as they will have to ensure the agreement terms of cloud provider comply with the Business Associate Agreement (BAA) that is an essential requirement of the HIPAA Omnibus Rule.
“IT staff requires training to move to cloud and the knowledge of BAA compliance.”
Other common tasks such as capacity planning and change management do not deviate after moving to the cloud. The burden on IT staff is the most underestimated risk and their lack of knowledge can contribute to additional risks.
Cloud Security
Hospitals and other healthcare organizations are responsible for securing PHI (protected health information) within their premises. Although, enterprise cloud providers provide superior security but the primary cloud security risk is the ‘cloud disconnect’ between the hospital or organizations and cloud provider as to who is responsible for the breakdown?
Such communication breakdown occurs after the implementation of cloud system and both parties turn their focus on other projects. The next question that would arise is who is responsible for reviewing server log? Without investigating such security details upfront, it is a possibility that neither party claims the responsibility.
“Healthcare org. and cloud provider should use best practice of RACI to separate their responsibilities.”
To mitigate cloud security risks, healthcare organizations should use best practices such as RACI of ITIL (Information Technology Infrastructure Library) to determine who is accountable, and informed about each cloud security parties. Moving to a cloud is like gaining an IT person who can do limited task but other security tasks still managed by the healthcare IT team.
“Moving to a cloud is like gaining an IT person who can do limited task but other security tasks still managed by the healthcare IT team.”
Compliance
While implementing the cloud, it requires expertise, monitoring, and maintaining compliance with HITECH, HIPAA, and other regulations. Healthcare organizations would also need to provide auditable information trail related to changes or interruptions in the infrastructure.
“Healthcare organization and cloud provider should always maintain compliance with HITECH, HIPAA, and other related regulations.”
Business Associate Agreement (BAA) outlines many compliance-related responsibilities that are often not fully understood by both healthcare organizations and cloud providers. For example, BAA requires recertification on cloud environment changes to ensure compliance, and a healthcare company publishes PHI (protected health information) inside a public cloud environment and makes changes to that cloud environment without notifying the public cloud provider. By failing to do so healthcare organizations can nullify its BAA with the cloud provider inadvertently.
On the other hand, public cloud provider may sign BAAs without the proper understanding of what it is obligating into. It’s imperative to both the parties to discuss and fully understand the responsibilities and key points to ensure they are on the same terms.
Manual Processes
Such risk is probably the most surprising in today’s digital age. Some organizations think they can save huge money by relying solely on their internal personnel to control the entire process. This ‘learn by experience’ approach brings rigorous and repetitive procedures based on trial and errors.
Inevitably, manual processes lapse, which can range from hours of downtime caused by missteps to inadvertently exposing PHI due to not confirming responsibilities with the cloud provider ahead of time.
“Manual processes evidently leads to failure and potential expose pre- or post- implementation of cloud.”
Even if no single problem occurrence of failure happens during any planning or migration phase, post-implementation problems can occur at any time with new workloads or security policies.
Unexpected Costs
Such costs burden the most when the focus is on cost saving while moving to the cloud. This happens when the organizations see cloud solely as storage and compute. For example, healthcare organization’s legacy servers reaching end of life, or upgrade is required to meet the increasing demands. The IT staff then compares the costs of moving to public cloud or installing new equipment. Such analysis often causes the organizations to overlook the crucial factors such as security, planning, compliance, labor, and manual process that are discussed above. The end result leads to same failure.
“Focus on cost saving causes organizations to overlook security, planning, compliance, and labor factors that leads to failure.”
How to Overcome Public Cloud Risks?
For internal IT infrastructure, private cloud deployments, a do it yourself (DIY) approach may be a feasible strategy, provided intensive care is taken specially to maintain compliance and security issues.
When moving healthcare IT workloads to the public cloud, partnering with a managed service provider (MSP) is a viable strategy for successful implementation. A HITRUST (Health Information Trust Alliance)-certified MSP that have thorough understanding and vast experience of the healthcare market and a strong BAA knowledge is your best option. The MSP can provide you with migration roadmaps, business reviews, suggestion on improving technology, reduce training costs, and step by step guidance on the spot.
Conclusion
Since hospitals and other healthcare organizations are experiencing the movement of data and other IT workloads to the cloud. Many organizations have already taken the initial steps that will pave the way for many others to follow the same suit. Being aware of the five major risks surrounding the cloud will help ensure that hospitals and other healthcare organizations prevent ‘cloud casualties’ and utilize the full potential of the public cloud.
Author Bio: Shiraz Hashmi is a scholar of Information Security discipline. He is passionate about writing and learning latest trends in technology and other fields of interest. You can reach Shiraz Hashmi on Twitter.
Shiraz Hashmi is a guest blogger, all opinions are his own.