Health system IT executives are rethinking their cloud strategies in response to recent high-profile incidents that have exposed vulnerabilities in cloud-based services. During a recent healthsystemCIO panel discussion, CIOs and technology leaders debated the benefits and risks of cloud, on-premise, and hybrid infrastructure models.
The Risks of Over-Reliance on Cloud Vendors
One major concern raised during the discussion was the risk of excessive dependence on cloud vendors. The CrowdStrike outage served as a stark example of how an organization can be affected by a third-party failure, even when there is no direct relationship. “I had zero control over the situation,” said Chuck Podesta, CIO at Renown Health. “I realized we can’t put ourselves in this position where a third-party vendor’s failure can disrupt essential operations.”
The financial and cybersecurity risks tied to cloud adoption were also underscored. Brian Cornell, VP at Healthlink Advisors, pointed out that many cloud vendors now disclaim liability in cyber incidents. “We’ve seen deals nearly fall apart because vendors refuse to take on cyber liability,” he noted. “Health systems need to be aware of these risks and ensure they maintain adequate protections.”
Podesta expanded on the issue, recalling how his organization’s payroll processing was affected. “We had to run payroll on Monday, and it was Friday when we realized we had no access. Explaining to leadership that we had no timeline for resolution because we had no direct relationship with the affected vendor was incredibly difficult. This was a wake-up call.”
Cost Considerations and Governance in Cloud Adoption
The financial aspects of cloud adoption were another key discussion point. While cloud solutions offer scalability and agility, they do not always lead to cost savings. “People think the cloud is cheaper—it’s not,” explained Scott Smiser, CTO at Emory Healthcare. “You need strong financial oversight, governance, and a hybrid strategy that balances risk, control, and cost.”
To mitigate cost risks, Smiser emphasized the importance of FinOps. “If you don’t have a tight process around cloud expenditures, your costs will spiral out of control. The bill always comes due.”
A recent cost analysis conducted by Cornell’s team with a health system evaluating an imaging solution supported this point. “We compared cloud versus on-prem costs, and cloud wasn’t necessarily cheaper. When we factored in cybersecurity protections and potential downtime, maintaining a hybrid approach proved to be the most cost-effective solution.”
Governance and oversight remain critical in managing cloud expenses. Smiser recounted a costly oversight: “We had researchers who spun up compute instances for AI workloads and forgot to turn them off over the holidays. When we returned, the bill was massive. Governance is key.”
Podesta also highlighted the need for a strategic approach to financial management when adopting cloud solutions. “If you don’t integrate cloud spend into your financial strategy from the outset, you will find yourself in a situation where costs keep climbing unexpectedly.”
Hybrid Approach for Resiliency and Control
Rather than committing entirely to cloud or on-premise infrastructure, many organizations are finding that a hybrid approach offers the best balance of cost, control, and security. “You think the cloud is cheaper, but it’s not always the case. There are benefits to keeping certain workloads on-premise or in a co-located data center where you retain control,” Podesta advised.
Smiser agreed, stressing the importance of careful assessment. “A hybrid model is where most organizations will land. The key is identifying what makes the most sense to move and what should stay.”
The discussion also touched on imaging system migrations to the cloud, a move that Podesta’s organization undertook. “We made the decision to move our imaging to the cloud, and six months in, we’re still evaluating if it was the right choice. There are benefits, but the long-term cost efficiency remains to be seen.”
Compliance and cybersecurity concerns also play a major role in deciding what should remain on-premise. “Healthcare IT leaders must consider compliance frameworks like HIPAA and cybersecurity insurance,” Cornell noted. “Some organizations are even involving their insurers in disaster recovery planning to ensure they’re adequately protected.”
Smiser recommended structuring contracts with cloud vendors to allow greater flexibility. “You need to ensure that your contracts allow for the ability to pivot if circumstances change. Long-term commitments can be risky if you don’t build in an exit strategy.”
Disaster Recovery and Operational Resilience
The importance of resilience planning was emphasized throughout the discussion. “It’s not if you get hit with an attack—it’s when. The question is how quickly you can recover,” said Podesta. He stressed that health systems need to assume they will experience downtime and must have a clear recovery strategy.
While cloud providers offer redundant systems, health systems should not rely solely on them. “You can’t rely solely on a vendor’s failover system. You need to test your own disaster recovery plans and ensure you have local backups in place,” Smiser advised.
Cornell added that working with cybersecurity insurers can offer additional insight. “Insurers have a unique perspective because they assess risk across multiple industries. Some of our clients have found that involving insurers has helped them identify gaps in their resiliency strategies.”
To-Do List
- Adopt a hybrid approach: A mix of on-premise and cloud solutions allows for greater control and cost management.
- Ensure strong governance: Establish FinOps teams to monitor cloud costs and prevent unnecessary expenses.
- Evaluate vendor contracts carefully: Assess cyber liability terms and ensure data protection responsibilities are clearly defined.
- Prioritize resiliency and business continuity: Assume a cyber incident will happen and plan accordingly for recovery.
- Engage CFOs and legal teams: Cloud decisions impact financial strategies and regulatory compliance.
- Review cloud expenditures regularly: Prevent unnecessary costs by monitoring cloud usage and educating teams on proper resource management.
- Consider cybersecurity insurance involvement: Bringing insurers into IT resilience planning can improve preparedness and potentially reduce premiums.
- Test disaster recovery plans frequently: Don’t assume your cloud provider’s failover systems are sufficient. Conduct regular drills to identify weaknesses.
- Build contract flexibility with cloud vendors: Ensure agreements allow for future adjustments if cloud costs or risk levels change.
A proactive financial approach to cloud adoption remains critical. “If you don’t have a tight process around cloud expenditures, your costs will spiral out of control. The bill always comes due,” Smiser cautioned.
Share Your Thoughts
You must be logged in to post a comment.