In passing the HITECH Act as part of ARRA in 2009, the government had
two primary goals: Moving physicians who have been slow to migrate from
paper-based patient records to an electronic medical record (EMR)
system, and ensuring that patient data no longer sits in a silo, but
instead is actively exchanged between health care professionals to
enable better quality care. As such, Congress allocated $34 billion in
investments that have served to catapult health care IT budgets to the
highest of any industry (at 5.4% cost of revenue).
For much of the health care industry, however, many questions still
linger. Chief among these is whether such enacted legislation hinders
the adoption of cloud computing in health care.
Last month, I moderated a panel of cloud and health care professionals at the Cloud Computing in Healthcare Conference
in Philadelphia to discuss these issues and understand where — if at
all — the cloud will impact the various functional segments of health
IT. The panel included David Linthicum, cloud pundit and chief
technology officer at Blue Mountain Labs; Edith Dees, chief information
officer at Holy Spirit Hospital; and William Gillespie, director of
healthcare at Distributed Systems Services, Inc. (DSS).
Initially, the goal of this panel was to discuss metrics around cloud
computing (i.e. How do you justify a move to the cloud? What are the
key business drivers to analyze? What are the costs?), but questions
from the audience forced the session to take a few steps backward and
analyze topics such as cloud security, vendor management and the
emerging cloud delivery models. However, the overarching question was
clear: Is healthcare ready for cloud computing?
Security: An Impediment to Cloud Adoption in Health care
Is the cloud mature and secure enough for the health care industry?
According the panel and audience members, the answer is not quite.
If you’ve ever visited a doctor’s office, you’re familiar with the
pile of forms you need to sign to protect your privacy. But what you may
not be familiar with are the extreme penalties that the Healthcare
Information Portability and Accountability Act (HIPAA) hold executive
managers accountable for the disclosure of private patient information.
During the session, one health care CIO remarked that the health care
industry is “…not ready for the public cloud. The technology is too
immature, does not extend securely to my existing applications and
difficult to manage as a service.” He also noted that his board of
directors is all too familiar with the issues that cloud file-sharing
company, Dropbox, recently experienced. In health care, the privacy
concerns around HIPAA have entirely different consequences and a
mistake, like the one by Dropbox, could potentially expose a health care
organization to civil and criminal liability. So while the benefits of
the cloud are appealing, many health care executives continue to balk at
assuming unnecessary risk.
The never-ending public cloud vs. private cloud debate
A key theme throughout the panel was determining the best cloud model
for health care organizations. A public cloud lacks the control and
security policies required by health care organizations. On the other
hand, a virtually private (or hybrid) cloud offers customization,
security, privacy and a high level of internal control. Health IT
leaders must identify the cloud solution that allows them to take
advantage of private cloud technologies where IT can own or modernize
data centers and, as a result, obtain the extended scale, business
agility and economic reach.
I brought this point up to one of my panelists, industry luminary David Linthicum,
who advises health care organizations on cloud strategies and services
oriented architectures (SOA). David evangelizes that “service oriented
transformations” will enable health care providers to securely connect
existing systems and data repositories to access actionable information
across health care systems and enterprises. Moreover, services
transformations give providers greater flexibility in meeting future
changes as the health care industry adopts new regulatory requirements and
This public vs. private cloud debate continues to rage in the IT
industry. However, in the health care vertical, private and hybrid
clouds are winning the race.
When the cloud is adopted, vendor management is crucial
Though it was clear that cloud use-cases are not currently a
priority, questions from the audience were seeking new strategies for
vendor management and governance. Generally, there is much interest in
understanding what the vendor mix will look like in the future. As more
IT departments move to the cloud, the ability to manage and measure the
performance of multiple cloud vendors becomes critical. For example,
health care organizations might utilize co-location and/or third party
electronic health vendors, but they must be managed. They also require
service level agreements that have distinctive privacy and security
The true nature of what the “cloud” enables is a mix of third party
providers that will extend the capabilities of an IT shop. Tiering of
service providers with focused specialties will force the discipline of
vendor management. Cloud vendor management will be vital for driving
best pricing and optimal unit rates for outsourced infrastructure
services. This will ensure vendors are held accountable to contract
standards, and that health care organizations can optimize spending and
buying power with strategic vendors.
Cloud computing is one of the most transformative business
technologies since the adoption of the Internet. However, in an industry
as sensitized to privacy and control as health care, many IT
professionals in the health care landscape remain leery. Is health care
ready for cloud computing? It’s unknown, but the debate will undoubtedly
continue. However, with the right model, adequate privacy and control
standards, and a comprehensive vendor management capability, the cloud
in one form or another will be a viable and appealing option for health
Cloud Computing in Healthcare Panelists (left to right) Edith Dees, CIO Holy Spirit Health System,
Buddy Gillespie, CIO Emeritus, Wellspan & Industry luminary David
Linthicum and Chris Pick.