As I have written previously, CIOs across the US have been pointing out to me that both opportunities and expectations for medical records storage, access, and delivery - particularly with regards to cloud storage - are at an all-time high. More electronic health records (EHRs) must be stored and delivered faster and with greater stability and usability (and they'd love it if it could be done cheaper too).Just recently, a number of clinicians told me that they were dissatisfied with the results of an EHR rollout project. I asked them what their criteria was to determine success. Their answer was that they had hoped to earn more money, get home an hour earlier, and be less stressed. This sounds good - but..
The Cloud does not solve every problem, whether related to healthcare information technology or otherwise, but it does significantly improve access to medical records, reduce CAPEX (capital expenditures), and enable health data management support (e.g. IT) to focus more on optimization than procurement.
One of my main tasks is to oversee several hundred physical servers in data centers across the US. They are operated by BIDMC and other hospitals. The lease on the building that houses our primary data center and all the H/W there, expires in a couple of years. I'm pretty optimistic, that by the time that happens, and we need to move out, we will not need to rebuild or operate our own data center elsewhere. By then, we'll have already embraced the public Cloud.
Between Embracing the Cloud and Being Embraced by It
Many companies talk about moving their healthcare information management system to the public Cloud. An attorney acquaintance, however, recently asked me if people are actually reading the fine print? To securely and efficiently upgrade and transfer a legacy healthcare data storage system from the data center to the Cloud requires meticulous planning.
Let me break down some of the key critical issues that need to be dealt with.
- Technical and Logistic Concerns
- Data Security Concerns
- Legal Concerns
Technical and Logistic Concerns
At the technical level, you need to understand what exactly it is that you are buying, and how that supports and advances your healthcare information systems needs.
Here are some types of Cloud offerings that I've organized for you:
- Infrastructure as a service: All your healthcare datasets are remotely hosted
- Platform as a service: The apps you use all run remotely on someone else's Software Development Kit (SDK)
- Software as a service: You buy transactions run by someone else
- Outcomes as a service: You pay for a result to be realized
Each of these approaches requires the following from the Cloud hosting vendor:
- Service Level Agreements (SLAs) that detail what happens if the technology fails
- Detailed disaster recovery contingency plans
- Local replication to ensure business continuity if there is an Internet outage (such as a denial of service attack)
- A solid -back-up plan- (in both senses): the ability to reclaim your data should the hosting arrangement not work out (who owns the data?) and a plan to return to some other temporary working arrangement to be able to continue working - until a new, permanent solution is found
Network security concerns are a major headache to avoid. You'll want to assess the Cloud hosting vendor's security levels, strategies and survivability, in case of a major malicious attack or other system breakdown. This can be carried out by an independent audit of the Cloud hosting vendor.
Some things to consider and perform background checks on, are:
- What kind of multi-layered defense strategy and tools are in place to defend against hackers?
- How is the staff trained concerning virus, phishing, and other malware avoidance?
- What protective measures are in place regarding employee misconduct?
- Is the data itself secure? Although encrypting data is sometimes seen as a panacea, it won't solve the kinds of major security breaches of the last 12 months, the majority of which occurred at the application and not the data level
- Do they have physical security guards in their data centers?
These types of concerns include compensation for monetary outlays that are associated with a breach, and just as importantly: business associate agreements, and a clear and detailed definition of the roles and responsibilities of every entity involved in offering and supporting the Cloud service. In this way, if something should go south, it will be clear what is to be done, and by whom, and who covers the financial aspects.
Making It All Work Legally - For Your Benefit
Of the many issues discussed above, the legal concerns are the most difficult to resolve. Many customers will ask Cloud vendors for an indemnification (i.e. compensation) clause without a cap, where the vendor must cover all costs associated with a breach, including third-party lawsuits.
As a rule, no Cloud vendor will sign an agreement without a cap. In fact, the Cloud Council presented a white paper which suggested that a cap of 12 months of fees is considered acceptable.
Protect Your Interests: Some Points to Put to Your Cloud Host Vendor
- Get your Cloud vendor to sign a business associate agreement that gives them a legal mandate to protect privacy.
- Try to negotiate a cap of at least three years of fees.
- Try to get your Cloud hosting vendor to agree to cover federal fines, if the vendor is at fault. Note that the HIPAA Omnibus Rule already requires business associates to be accountable in all relevant cases of their fudge ups.
- Try to get your cloud hosting vendor to cover notification costs, credit monitoring costs, and call center costs in the case of a malicious hacker breach. These can be expensive.
- Even with three years of fees, federal fines covered, and reporting costs covered, there still may be expenses that go beyond the cap. Consider cyber-liability insurance for these excess costs. No Cloud vendor will cover everything.
- Your legal and healthcare compliance departments will be important partners as you have the discussion with Board members and senior management about acceptable risks.
The Cloud Migration Effort - Worth It in the Long Run
Here's something to consider: Health information management is not an easy task. Big data in healthcare or healthcare data analytics is generally less time-critical or -real-time- sensitive as compared to the equivalent for an atomic plant. However, having the best pipeline for accessing patient and healthcare data is vital and very often life-critical.
Medical records management of healthcare data over the Cloud is seen - across the board - as so essential in today's society, that government regulations regarding HIPAA compliant cloud ensure that healthcare technology providers and users carry out their tasks responsibly.
Moving up to the Cloud requires a clear well-planned strategy, and we at Zulucare can provide you with proven solutions for your healthcare data management needs. Call us, and we'll get you up to the Cloud safe and sound.