In partnership with CHIME, healthsystemCIO.com has developed a blogger series featuring insights from hospital and health system CIOs and other key IT leaders representing organizations from around the country. The blogs, which will be featured on our site on a biweekly basis, will focus on the major issues affecting CIOs, including the health IT workforce shortage, mobile device management, and federal regulations. The second entry in our series comes from Mary Anne Leach, VP/CIO at Children’s Hospital Colorado.
Cloud computing is here. And since this an often ill-defined, misrepresented and misused term, for the purposes of this commentary, I will define “cloud computing” in its purest technical sense: the dynamic and scalable allocation of computing resources like memory, processor, storage, and networks to create an environment of dynamic, on-demand allocation that is characterized by elasticity, scalability, high availability, and managed consumption. The promise of this computing paradigm shift, particularly for healthcare, is that it could radically reduce technology infrastructure costs.
I do not consider “remote hosted”, “application service provider” (ASP), or Software-as-a-Service (SaaS) solutions to necessarily equate to cloud computing architecture. They may employ a cloud architecture, but they may also be designed as private, remote-hosted services — not the same as a public, cloud-hosted-service.
For many of us, “the cloud” has been here for quite a while. Many of our healthcare organizations have “private clouds” within our data centers where we have virtualized servers, storage, networks, and desktops. We can scale quickly and efficiently, providing all the elasticity of externally hosted clouds, but with more control, flexibility, monitoring and (perhaps) more security.
At Children’s Hospital Colorado, we have a sizeable “private cloud” that offers us cost-effective scalability, flexibility, and high availability. We are weighing the risks of participating in public cloud offerings, by way of some of our recent vendor proposals. Amazingly, however, these vendors are having difficulty communicating their security program, and we’re becoming increasingly pessimistic that we’ll have protected health information (PHI) in a public cloud anytime soon. But the business case is a compelling one that we’re actively evaluating, and someday, in the not-too-distant-future, this may just be “the way we all do business”.
Currently, however, the idea of PHI hosted in a true “public cloud” where resources are truly shared (perhaps among disparate organizations or users) and where an internal (or external) breach could occur, possibly on a massive scale, is somewhat daunting. A breach of this magnitude, with all the associated fines, media notifications, patient and family harm, and the resultant “brand damage” to the organization whose data has been breached, would be significantly costly and damaging on many fronts. We can contract “responsibility” for data security and even for the financial obligations to pay the fines — but we cannot contractually waive our accountability, as healthcare providers, for the data we create, store, analyze and share.
Some industry estimates calculate that less than 2 percent of healthcare organizations today entrust their (PHI) data to a true public cloud — and perhaps with good reason, as we continue to see daily reports of data breaches and the resulting fines and brand damage. We’ve also read about the breaches that have occurred with the major public cloud vendors. Putting these two elements together (health data breaches and cloud breaches) without the appropriate technical, data security, governance, contractual and financial obligations will result in painful “early adopter” experiences.
But there are proven methods, standards, and evolving technologies that support the data security, monitoring, and accountability for health data. These proven methods and experiences will be required to convince healthcare providers to enter the world of the public cloud. But until rigorous security standards are met, communicated, monitored, reported against, upgraded, and complied with, most healthcare providers should be carefully weighing the cost-benefit ratio of placing their PHI into a public cloud environment. Are the cost savings worth the possible fines for a breach? Are the cost savings worth a possible “dent” to the organization’s brand and reputation, and the community’s sacred trust? What is your hospital brand worth?
The tensions are mounting between access and security. At the same time as more and more health information is being “shared” (such as via health information exchanges), there is a parallel, increasingly punitive environment emerging around inappropriate data sharing and data breaches. While cloud technology promises to bring great efficiencies and cost savings to healthcare, we must remember our roles as data stewards, and proceed thoughtfully and carefully into “the cloud.”
The technology is here, and its potential application in healthcare is very exciting and could be very rewarding. How we leverage this technology to radically reduce costs while preserving data security, privacy, and the public trust will be one of the great challenges for this generation of health technology leaders. I look forward to hearing of your strategies, value realized and your success stories!