A common perception among IT consulting experts is that the healthcare industry is one of the most challenged and constrained in its ability to achieve continuous technical innovation, support emerging technologies and cost-effectively source IT solutions. The industry is known for its significant dependence on legacy on-premise infrastructure (aka “technical debt”), decentralized IT organizations (“shadow IT”), and for having to contend with expensive and often contradictory compliance regulations (HIPAA, HITECH, state health record breach notification laws, etc.). Finding and retaining security subject-matter experts in this environment is also challenging, to say the least. The highly competitive cybersecurity resource pool and the ever-escalating need for competitive compensation packages is often just beyond the means of many cash-strapped healthcare providers.
These and other challenges have caused many healthcare organizations to delay innovations that could help them adapt more easily to today’s demands by patients and regulators. While other industries have embraced the advantages offered by cloud solutions, for example, the same is not happening in healthcare – why?
Citing primarily security concerns, many in healthcare believe that use of cloud technologies is for non-production environments only and that electronic protected health information (ePHI) should never be stored or processed in the cloud. This perception may have been arguable ten years ago, when cloud technologies were plagued with rudimentary security controls, but cloud-based services and resources have come a long way since then. As more industries adopt cloud-based solutions, the major vendors (AWS, Azure, Google, etc.) are heeding the demands of their customers for security, auditability and scalability, and are responding in kind. The ability to take advantage of the advancements in today’s cloud solutions exists, and healthcare organizations will be wise to at least consider the options and potential benefits. These include:
- Lower In-house compliance efforts – Although no cloud provider can ensure full coverage of all of the HIPAA/HITECH/HITRUST technical controls, leveraging certain approved and compliant services can dramatically reduce the burden on the healthcare entity by shifting partial responsibility, liability and/or risk to the cloud provider. This in turn allows the healthcare entity to be more effective in dealing with the reduced scope at hand.
- Enhanced physical security, redundancy and resilience – How many healthcare organizations can say that their data center security and uptime performance are close to these same performance metrics reported by Google, Amazon and Azure? The costs necessary to achieve similar availability performance with enterprise data centers makes cloud-based alternatives seem much more attractive. Many cloud solutions beat an enterprise data center at business continuity and disaster recovery, reliability and performance on a global scale. Major cloud services providers have the infrastructure and resources to serve interconnected facilities all over the world, doing away with the severe limitations inherent in physical data centers.
- Flexible, scalable and on-demand environments – Cloud-hosted solutions provide the ability to support multiple concurrent (and isolated) environments for both production and non-production (development/QA/stage). This means tighter security controls and role-based access, increased visibility on spending, enhanced alerts and audit trails, as well as the ability for transitory environments to exist only while they are needed, without affecting production.
- Reduced complexity – Cloud infrastructure providers also offer deployment, configuration, monitoring and scaling management and automation tools that can replace the myriad of scripts and manual processes that local network engineering departments have employed to perform similar tasks with their enterprise data centers.
- Focus on core applications – Serverless infrastructure allows the customer to concentrate resources on its core applications and services, while deferring all non-essential computing resources to the cloud provider. Adapting to these services means having a true, cloud-first, cloud-native mentality, and it is where the most value out of migration to cloud can be found today.
If modern cloud providers can deliver these capabilities, why haven’t more healthcare companies adopted cloud services as part of their short- and long-term strategies? Often, this results from an abundance of caution and justifiable concerns about disturbing the difficult balance of the complex healthcare environment. Here are a several of the major factors that should to be considered when thinking about cloud alternatives:
- There is no “easy button” to compliance – There is no way to offload 100 percent of the compliance requirements to a cloud vendor. Although all the major cloud vendors will tell you that they are HIPAA, HITRUST, HITECH and PCI compliant, the more accurate statement is that some of their services have been verified to be compliant, but only for the areas in which the cloud supplier is responsible. The cloud suppliers that provide these compliant services will provide a “shared responsibility matrix” that identifies what are the exact responsibilities of both the vendor and the customer. It is also important to note that not all of these services have been certified against all compliance frameworks, so healthcare organizations must always perform their own compliance assessments before developing a production application using these services.
- A well thought out cloud strategy is a must – Organizations wanting to leverage the cloud should view it as a long-term investment, backed by a three-to-five-year strategic cloud adoption plan. Even with a “cloud first” directive, it is not reasonable to expect that all services and applications can or should be moved to the cloud. Each application and service being considered for cloud migration should be evaluated (both individually and as part of related and dependent systems) to identify any risks or inefficiencies from cloud adoption. Merely migrating existing servers or applications to the cloud is not enough to reap the benefits. Part of the organization’s three-to-five-year cloud strategic plan is identifying what services must stay on-premise, which ones should be migrated, and which ones should be deployed as cloud-native services.
- It is not all about the technology – Cloud solutions affect employees, business partners, business processes, financial accounting and a number of other functions. Some existing roles will change, and others may become obsolete or require employees to be trained in the use of cloud services. In some cases, organizations may have to hire cloud-savvy personnel. Such changes are sure to create tension, so management will need to be aware of these challenges and have a plan to address them.
- The benefits and advantages of the cloud aren’t realized immediately or automatically – Most organizations won’t see the benefits of a cloud solution adoption immediately, and it often takes three-to-five years for savings and efficiencies to manifest. A good way to recognize the potential and track the return on investment is to have an experienced cloud architect articulate the strategic plan with specific business advantages. This plan should identify when the expected benefits (cost reduction, resource effort reduction, technology innovation, streamlined business processes, etc.) will be realized along the cloud implementation map.
The bottom line is that cloud solutions can bring many advantages to healthcare organizations – but this doesn’t mean cloud adoption will be straightforward, or a panacea for all the industry pains and challenges. A clear and cohesive strategy can help make the decision to migrate parts of the healthcare IT environment to the cloud easier. The healthcare industry exists in the same dynamic, digitally-driven environment as the rest of the business world, and while its challenges are considerable and unique, it should not resign itself to being left behind when it comes to innovation.
Randall Wentworth of Protiviti’s Security and Privacy practice contributed to this content.