In passing the HITECH Act as part of ARRA in 2009, the government had two primary goals: Moving physicians who have been slow to migrate from paper-based patient records to an electronic medical record (EMR) system, and ensuring that patient data no longer sits in a silo, but instead is actively exchanged between health care professionals to enable better quality care. As such, Congress allocated $34 billion in investments that have served to catapult health care IT budgets to the highest of any industry (at 5.4% cost of revenue).

For much of the health care industry, however, many questions still linger. Chief among these is whether such enacted legislation hinders the adoption of cloud computing in health care.

Last month, I moderated a panel of cloud and health care professionals at the Cloud Computing in Healthcare Conference in Philadelphia to discuss these issues and understand where — if at all — the cloud will impact the various functional segments of health IT. The panel included David Linthicum, cloud pundit and chief technology officer at Blue Mountain Labs; Edith Dees, chief information officer at Holy Spirit Hospital; and William Gillespie, director of healthcare at Distributed Systems Services, Inc. (DSS).

Initially, the goal of this panel was to discuss metrics around cloud computing (i.e. How do you justify a move to the cloud? What are the key business drivers to analyze? What are the costs?), but questions from the audience forced the session to take a few steps backward and analyze topics such as cloud security, vendor management and the emerging cloud delivery models. However, the overarching question was clear: Is healthcare ready for cloud computing?

Security: An Impediment to Cloud Adoption in Health care

Is the cloud mature and secure enough for the health care industry? According the panel and audience members, the answer is not quite.

If you’ve ever visited a doctor’s office, you’re familiar with the pile of forms you need to sign to protect your privacy. But what you may not be familiar with are the extreme penalties that the Healthcare Information Portability and Accountability Act (HIPAA) hold executive managers accountable for the disclosure of private patient information. During the session, one health care CIO remarked that the health care industry is “…not ready for the public cloud. The technology is too immature, does not extend securely to my existing applications and difficult to manage as a service.” He also noted that his board of directors is all too familiar with the issues that cloud file-sharing company, Dropbox, recently experienced. In health care, the privacy concerns around HIPAA have entirely different consequences and a mistake, like the one by Dropbox, could potentially expose a health care organization to civil and criminal liability. So while the benefits of the cloud are appealing, many health care executives continue to balk at assuming unnecessary risk.

The never-ending public cloud vs. private cloud debate

A key theme throughout the panel was determining the best cloud model for health care organizations. A public cloud lacks the control and security policies required by health care organizations. On the other hand, a virtually private (or hybrid) cloud offers customization, security, privacy and a high level of internal control. Health IT leaders must identify the cloud solution that allows them to take advantage of private cloud technologies where IT can own or modernize data centers and, as a result, obtain the extended scale, business agility and economic reach.

I brought this point up to one of my panelists, industry luminary David Linthicum, who advises health care organizations on cloud strategies and services oriented architectures (SOA). David evangelizes that “service oriented transformations” will enable health care providers to securely connect existing systems and data repositories to access actionable information across health care systems and enterprises.  Moreover, services transformations give providers greater flexibility in meeting future changes as the health care industry adopts new regulatory requirements and methodologies.

This public vs. private cloud debate continues to rage in the IT industry. However, in the health care vertical, private and hybrid clouds are winning the race.

When the cloud is adopted, vendor management is crucial

Though it was clear that cloud use-cases are not currently a priority, questions from the audience were seeking new strategies for vendor management and governance. Generally, there is much interest in understanding what the vendor mix will look like in the future. As more IT departments move to the cloud, the ability to manage and measure the performance of multiple cloud vendors becomes critical. For example, health care organizations might utilize co-location and/or third party electronic health vendors, but they must be managed. They also require service level agreements that have distinctive privacy and security contracts.

The true nature of what the “cloud” enables is a mix of third party providers that will extend the capabilities of an IT shop. Tiering of service providers with focused specialties will force the discipline of vendor management. Cloud vendor management will be vital for driving best pricing and optimal unit rates for outsourced infrastructure services. This will ensure vendors are held accountable to contract standards, and that health care organizations can optimize spending and buying power with strategic vendors.

Cloud computing is one of the most transformative business technologies since the adoption of the Internet. However, in an industry as sensitized to privacy and control as health care, many IT professionals in the health care landscape remain leery. Is health care ready for cloud computing? It’s unknown, but the debate will undoubtedly continue. However, with the right model, adequate privacy and control standards, and a comprehensive vendor management capability, the cloud in one form or another will be a viable and appealing option for health care.

Cloud Computing in Healthcare Panelists (left to right) Edith Dees, CIO Holy Spirit Health System, Buddy Gillespie, CIO Emeritus, Wellspan & Industry luminary David Linthicum and Chris Pick.