The healthcare industry is under constant pressure to streamline the sharing and availability of information, while at the same time maintaining ever-more rigorous controls over patient privacy, and of course, reducing costs at the same time. Therefore cloud computing offers some significant opportunities, perhaps even more significant than in many other industries.
The ability to quickly access computing and storage resources when needed, without the requirement for a large technical staff is pretty much the perfect solution for many hospitals, health clinics, and doctor’s offices. It should provide them with an incredible opportunity to improve services to their customers, the patients, to share information more easily than ever before, and improve operational efficiency at the same time. The challenge, at least for now, is the critical element of maintaining patient privacy. The risks of exposing sensitive patient data, especially in public cloud infrastructures, continues to act as a drag on the rate of cloud adoption.
Where does cloud computing in healthcare make sense?
The range of services offered through the cloud is expanding at a staggering rate. Certainly healthcare providers can look at a number of services to help reduce IT management costs and accelerate deployment of new IT processes but they should be wary of moving anything requiring highly sensitive information out into the public cloud services until they clearly understand the risks and the legal ramifications.
The recent furor around Dropbox security has been drive driven in no small part by the fact that information customers thought was protected by encryption from everyone but themselves is, in fact, open to examination by Dropbox employees. Imagine a scenario in which files containing PHI were placed in a cloud storage service, even temporarily, and were later found to have been exposed to employees of a third party. So at least for now, while such things as email, payroll, backup and so on are all available through the cloud, organizations should put in place tight procedural controls to prevent protected information moving out into the cloud in an unsecured way.
What are the risks/concerns about data privacy/security?
The risks for data in cloud serves are, at their more basic, really no different than for information in traditional infrastructures. However, the complexity of cloud models, and the difficulty of measuring those risks, mean that the stakes are far higher for sensitive information moving out into the cloud. The primary risks are, of course, going to be the availability, integrity and confidentiality of information. The question of availability loomed large recently with the prolonged outage of Amazon’s EBS (elastic block storage) which affected a large number of Amazon Web Services customers.
This was certainly a wake-up call to those people who thought cloud, especially cloud offerings from a large provider such as Amazon, was somehow immune to the day to day tribulations of admin error, server outages, and other IT problems. The other big concern, and I would say it’s the single biggest concern at the moment, is the privacy of that information. The benefit of cloud models is that they hide much of the internal processes required to deliver the services. This lack of transparency comes at a cost, however. It’s difficult to know how secure systems are when they are hosted in locations over which you have no control, staffed by employees whom you have never seen, and are interacting with systems from other third parties about whom you may know nothing. The risk of a breach of a system that enables an attacker to gain access to a large number of cloud systems is a real worry. So is the risk of a rogue insider working at the cloud provider or one of its partners. As a result, organizations of all kinds, not just healthcare but finance, government, and so on, are thinking long and hard about ways to maintain control of their information even as it moves into public cloud infrastructures.
What are the relative advantages of private/public clouds in healthcare?
The notion of a private cloud, one in which organizations build their own cloud infrastructure for use by their business units, is certainly generating interest for a couple of reasons. First, it allows businesses to step slowly into cloud usage before they move information and services out into the broader public domain. The second reason is that it is perceived as being more secure than a public cloud model. While debate on this continues to rage, I think it’s fair to say that private cloud models avoid some of the risks of public cloud, at least in theory.
For a healthcare company this can be a highly attractive option, as it could deliver the flexibility and responsiveness of a public cloud, without the multi-tenancy aspect which often causes concern. However I’d also caution healthcare companies to not assume that “private” means “secure.” Many private cloud infrastructures are still operated by third party service providers, introducing risks associated with their processes, their employees, and potentially their other customers (who may themselves operate poorly secured systems, enabling a cascading breach which could, at least in theory, affect your own, “private” cloud.)
Another aspect to consider is that private clouds tend to centralize information and management in ways that there weren’t centralized before. So administrators who may not have had access to highly sensitive information may now find themselves custodians of PHI, and one business unit’s systems (who practice good security) may be coexisting with another who do not, thus placing all systems at risks. The fact is that whether you’re looking at public or private cloud approaches, the risk models change and the way in which you must think about keeping information secure must change with them. The opportunities are huge, but one way or another they come at a cost.
Geoff Webb is Director of Product Marketing at CREDANT Technologies.