True North Networks Blog
Infrastructure Reality Check: What Can Go in the Cloud, Really?
Some healthcare CIOs say it's time to move just about everything to the cloud, while others say not so fast.
Long-term cloud costs
The long-term costs of managing cloud services must be considered. Something can be very easy to use but is not feasible from a cost control perspective.
“Theoretically you do not want to go down the road of using a cloud solution just because it is easy, because it might come with a cost uplift,” he said. “Easy does not always translate into how things are operationalized, hence how things are paid for and managed and budgeted.”
So while ease of use is indeed a consideration, it seems like the big question still comes down to what can healthcare CIOs really put in the cloud today? On the security front, what data and applications can exist in the cloud?
Since 2013, Brookdale University Hospital and Medical Center’s electronic health record has been in the cloud.
“We are very careful with our patient data, we have taken a strong stance on the security aspect of that, constantly making sure that it is as good if not better than self-hosted,” said Tarlow of Brookdale. “Our ERP system is in the cloud, many of our ancillary systems have been in the cloud for five-plus years. Our interface engine.”
Technologies the provider organization has not yet moved to the cloud are ones that are heavily dependent on bandwidth, and that staff are not yet fully comfortable with the speed of moving these last systems to the cloud. Staff are strategizing on how to move them to the cloud.
Nearly everything to the cloud
Wellman of Comanche County Memorial Hospital said they are on track to move just about everything to a cloud/remote-hosted setting with very little left onsite.
“This currently includes our ambulatory applications, financials, time and attendance, and as we move to a new acute care application, we are requiring it to be offsite,” he explained. “We are in the process of selecting a new acute care EHR and we expect it to be offsite as well. In the past we felt the interfacing and processing power should all be local, but as we have experimented over the years we felt this is no longer an issue with speed, assuming you have robust ISPs with multiple pathways to reduce the chance of excessive downtime.”
These three healthcare executives are generous when it comes to what they feel a healthcare organization can put in the cloud. Is there anything they feel should not be in the cloud?
"We are very careful with our patient data, we have taken a strong stance on the security aspect of that, constantly making sure that it is as good if not better than self-hosted."
Eli Tarlow, Brookdale University Hospital and Medical Center
“We really have not found anything that cannot go to the cloud, although some associated performance issues could cause you to not pursue it wholly,” Wellman said. “For example, we see the benefit of pushing our DICOM images to the cloud, but only in a hybrid design where we have onsite equipment that can receive from the modalities and then push the image to a cloud without causing a delay in that process.”
A good hybrid design would allow the organization to appropriately size and maintain the onsite storage to build an image cache and allow for pre-fetching larger images to avoid excessive wait times when a provider wants older images for comparison such as mammography, he explained.
“I would also like to point out that this model is preferable to our facility because we are in tornado alley on the Oklahoma plains, so this is a big part of our disaster recovery and business continuity plans,” he added. “It is easier and much more affordable for us to establish emergency network connectivity than it is to build or contract for a fully functional secondary data center. That played a big role in our decision to move toward the cloud.”
Still some concern among CIOs
Right now, healthcare organizations remain slow to adopt cloud methodology for the use of protected health information, contended Earle of Kaleida Health.
“Among the reasons why is that there has to be a constant that the data does not leave the United States or countries that value intellectual property and patient confidentiality or sensitive data,” he said. “Until the businesses can guarantee that your data does not move outside of the areas and controls or some kind of geo-fence of that data, it becomes less and less practical that healthcare providers would whole-heartedly put their sensitive data into the cloud.”
It is starting to happen, though. Cloud companies now are starting to accommodate PHI and related rules and practices, he said.
“They are starting to put those guardrails onto the data, but there still is some level of hesitation among CIOs around the country to adopt the cloud solutions until there is much more comfort around the resiliency of that data within the cloud,” Earle said. “There has to be some level of breakthrough when it comes to the vendors that are offering cloud services and their complete understanding of how health delivery organizations operate and do all of the constraints.”
What should a CIO say to concerned peers in the C-suite asking questions about security? Tarlow of Brookdale University Hospital and Medical Center points to some standard activities within the IT department.
“We do routine audits on this every single year; we run a security audit against it to make sure,” he said. “But I would reverse the challenge and say what if it’s onsite, what additional technologies, personnel, bells and whistles, would we have onsite that we do not already have in the cloud? Aside from someone breaking into our building, but we have security guards and I assume all of the cloud vendors have security guards.”
Cloud vendors have deeper pockets
The cloud vendors can afford the redundancies that individual healthcare organizations may not be able to afford independently, he added.
“I would educate the executives on the risks and hazards and on the benefits of doing it onsite versus offsite, so they can really learn,” he said. “It is a scary world out there. It’s really about becoming the most secure.”
He added that he was CIO at Bellevue Hospital during Superstorm Sandy. The majority of that organization’s systems were offsite, including the EHR, he said.
“The hospital was challenged, patients were discharged to other hospitals because we had to evacuate,” he concluded. “It helped us that our EHR was hosted remotely. These are not things in our dreams anymore, these are things that are really happening. And they are validating our strategy.”