The embrace of cloud solutions in healthcare has been accelerating at a frenetic pace. Since the introduction of the Affordable Care Act which compelled the adoption of Electronic Medical Records (EMR) and supporting systems, US hospitals have been more open to not only digitizing their processes, but to decentralizing their information technology infrastructure and moving cloud-ward.
To many decision makers, embracing the cloud can be seen as a way of bolstering infrastructural agility, increasing data accessibility, faster resource provisioning and more nimble allocation, provisioning challenges, reduced need for IT and data center supporting manpower, and better empowering interoperability.
The convenience that comes alongside the use of cloud solutions does seem enticing at first, however, submitting your personal data to a cloud provider raises a couple of security concerns as well.
The Cloud: Obstacles and Opportunities Run Sky-High for Hospitals
According to a 2019 Cloud Security report, data security (29%) and general security (28%) risks top the list of obstacles to faster cloud adoption.
While few hospitals today run on information systems that are entirely cloud-based, most do involve some sort of cloud dependency or integration. As such, securing data on the cloud is of vital and ever-growing importance. This article explores some of the top security considerations for hospitals moving to cloud or hybrid information technology and system models.
1. Maintaining Regulatory Compliance Around ePHI Access and Management
As hospitals shift more and more to the cloud, they often face questions of how those new technologies will affect their compliance posture. For example, a cloud-based or EMR system that collects, processes, and stores protected health information (PHI) will need to comply with stringent privacy standards as outlined in the Health Information Portability and Accountability Act (HIPAA).
Most hospitals have a hard enough time maintaining HIPAA compliance as “covered entities” that they’re wary of involving additional “business associates” for whose own compliance the hospitals would share responsibility. Yet, when hospitals use outside cloud service/solution providers to manage and store PHI, that’s exactly what they’re doing.
As a result, the hospital would need to map out any relevant HIPAA implications and enter into a HIPAA-compliant business associate agreement (BAA) with the cloud service/solution provider. In fact, even with a BAA in which the cloud service/solution provider commits to satisfying any commutative data security and privacy requirement under HIPAA, it remains incumbent upon the hospital as a covered entity to independently assess their business associates’ risk bearing and management capacity as it pertains to the Security Rule.
All of this represents no small amount of work and potential liability. Apart from the criteria for the chosen location for data, for the majority of hospitals, reality sets in when members of the management team have no other option but to become experts in the technical security and privacy of patient data throughout the data lifecycle, which usually encompasses the distribution, creation, usage, storage, maintenance, and destruction of data.
Moving to the cloud requires that health delivery organizations safeguard the lifecycle of electronic PHI, regardless of where it’s living and what entity is managing it.
In the digital domain, systemically protecting information is far easier said than done. One of the biggest challenges has to do with visibility: you can’t secure what you don’t see.
Unfortunately, most healthcare organizations don’t have a very good view of the data they hold, where it’s being generated from, or where it’s stored. Because of this, it’s important that hospitals audit their data repositories, the inflow channels that feed them, any ancillary outflow channel, and any endpoints configured to transmit or store data.
Before you even begin to consider the compliance implications of adding outside parties and new variables into the data security, you’d be wise to have your own house in order. Once you’ve done so and have extracted an accurate data inventory and flowchart, you can begin building in outside parties like cloud service/technology providers and mapping the points of intersection and divergence with respect to dataflow. Comparing this data connectivity matrix to HIPAA requirements, will give you a good idea of the specific areas that present the most likely issues for compliance.
Compliance with healthcare regulations demands that the cloud service provider maintains visibility into where the organization’s data is stored throughout the lifecycle and who has access to that data at each stage. As stated above, it is important to know where all your data is located. You also need to understand the cloud provider’s data services locations and where PHI may be stored. This is also essential for backups and DR. Because of this, hospitals may find that abstracted cloud environments can make a particularly tall task of compliance.
When it comes specifically to EMRs, rather than adapting a canned solution to your particular needs and compliance considerations, it may be worth considering custom developing cloud EMR software to meet the specific needs of your organization.
2. Choosing the right cloud service providers
Not all cloud vendors and solutions are created equal. Hospitals ought to choose carefully to ensure the integrity of their infrastructure under a diverse and potentially adverse range of conditions. The cloud providers need to implement security protocols that take the full lifecycle into consideration while adhering to rules mentioned within HIPAA compliance and avoiding violations.
Cloud vendors can help the healthcare organizations join the cloud revolution. Trusted third-party assessments can provide reassurances that a vendor furnishes enhanced technical solutions in-line with the physical, administrative and technical safeguards required to host healthcare data.
These standards ensure that security policies, internal audit controls, and data processing are of the highest standard and there are strict protocols in place to ensure client confidentiality.
Insofar as your move cloud-bound includes data center services, distributed computing resources, or any other manner of data storage, it’s important that the service provider offers secure offsite backups and data protection technology (such as disaster recovery failover).
Healthcare is as unique a technology space as it is a business space, and the best technology partners/service providers will understand that and reflect it in a tailored offering. In the vendor selection process, an examination of following criteria should help the best options stand out:
- Reputation and record of excellence
- Level of support and commitments
- Financial terms/payment flexibility
- Proven use/value cases
- Willingness to customize the offering
A vendor with a strong reputation and record of excellence will not only be able to furnish a respectable list of healthcare customers, but will be able to direct you to no small number of customer references with whom you can discuss your needs, concerns. and considerations in detail. If the reputation and record are truly excellent, you should even be able to source such references on your own, without expending too much effort, just by probing your network or sending out feelers through industry channels.
You should also see a great reputation reflected in the company profile. For most companies, a good reputation will be the product of deliberate cultivation, expressed in both corporate culture and formalized business policies. Though these things may not be public knowledge, they will leave a clear footprint to anyone looking for them. (Think McDonald’s “the customer is always right” policy.) Company’s working to build on great reputations will show prospects and customers a consistent experience across interactions and points of contact, employees’ work will be disciplined, and they’ll deal with complexity through procedure and by progressing through a discernible escalation matrix. Though exhibiting these signs alone does not make a vendor the right vendor for you, it should definitely cast them in a positive light.
A vendor offering robust support and firm success enablement commitments will take your top implementation and utilization concerns and thoroughly dismantle them. Among other things, you’ll look for 24x7x365 operational support, fully documented service dependencies (technologies being used and service roadmap), boots on the ground via local partners trained in implementation and maintenance, detailed and comprehensive service-level agreements (SLAs) that don’t reflect an effort to avoid enforceable commitments, and a willingness to offer migration planning and support on both ends of the project/partnership lifecycle.
When it comes to financial terms and payment flexibility, there are a few different things you’ll want to see from a vendor. Leaving aside the tech giants (like Amazon and Microsoft, for example) and their cloud service offerings (AWS, Azure, etc.), you’ll want to see what type of reaction the request for payment flexibility elicits from the vendor. If they are entirely unwilling to have that conversation, it may speak to a tenuous relationship with cash flow. That can be a very big red flag when you’re not dealing with a set it and forget it product, but a remotely accessible service that needs to be constantly maintained and developed by the provider. When operating from a SaaS model, even the best technology is of little value if it rests on unstable financial footing. At the same time, you wouldn’t want to see the vendor overeager to agree to any and all suggested financial terms as that may speak to a level of desperation.
Ideally, you’d see a vendor genuinely interested in considering a range of options together with you and that takes a decidedly long-term approach — valuing the lifetime value of your patronage above your upfront investment.
Of course, at the end of the day most of your decision will boil down to the particular cloud offering and the value it stands to add to your operation. Here, smart hospital decision makers will look for vendors with proven use cases. If it’s not immediately clear to the hospital how they would use the service/technology, how it would integrate into existing workflows/technology stacks, and how they would coax the most possible value out of it, the vendor needs to be able to easily point to case studies outlining how other similar organizations did all of the above.
Obviously, you won’t want to rely on the vendor’s word alone. You’ll want to find some external validation for the quality of their offering and strength of delivery. There are different places you can look for this. Enterprise tech and service review sites are one place to look, but those may lack the environmental specificity and rich context required to properly inform on a decision. Awards may bear relevance too, but it can be hard to keep up with which awards are meaningful and which are not; many are bought and paid for while others are based on often irrelevant criteria. More often than not, when it comes to objectively assessing the exercisable value potential of a cloud service, the analyses of respected market advisory firms are the most reliable and both meaningful form of external validation.
Forrester Research, for example, puts out its Forrester Wave™ report on hundreds of different technologies and services each quarter. These reports are designed as a sort of objective third-party guide for prospective customers in a given technology marketplace. The Forrester WaveTM reports are especially well-liked because of their relatively short and to-the-point format and the titular "wave" chart that visually maps the comparative strengths of solutions across 10 transparent evaluation criteria. In this way, the reports tidily collect and succinctly deliver a wealth of knowledge to inform on bottom line decision making — becoming a valuable resource and key time-saver for purchasing committees.
The report breaks the field of vendors into four tiers — Leaders, Strong Performers, Contenders, and Challengers. Taking the Wave as a starting point for vendor research and evaluation process, many decision makers will limit their short list of vendors under consideration to those that appear in the Leaders or Strong Performers section. Gartner’s Magic Quadrant reports is used in much the same way.
Though not quite as meaningful, it can be similarly useful to look for other certifications held by the vendor or standards adhered to, for example, SOC reporting certifications can definitely be taken as strong quality signals, while having a HIPAA Seal of Compliance should be a prerequisite.
If a vendor's technology is not well-known and familiar, it’s important that it be built in a really easy-to-use manner and presented in a really easy-to-understand way. If a service or technology promises unrivaled functionality but is too complicated to actually make use of, it’s not going to do much good. To that point, where demos are relevant, they should be customized to the hospital’s working environment and give the would-be user a very practical, hands-on sense of how the technology works. Even more to the point, wherever possible, the service provider should offer some sort of proof-of-value pilot program for their offering. This can do a lot to remove speculation and aggravation from the equation — demonstrating performance and reliability and giving decision makers absolute confidence to say “yes” or “no”.
Lastly, it’s just as important not to simplify the complex as it is not to complicate the simple. Plug-and-play services and solutions are great in some cases and terrible in others. It’s important that you have a good grasp of what exactly you need so that you can properly ascertain the extent to which canned offerings do and do not satisfy those needs. Some vendors won’t even wade into the waters of customization — it’s just not their business model — and some will be keen to jump into the deep end.
For most hospitals, a limited degree of customization will be necessary. Here too, the way the vendor reacts can speak volumes. If they’re pushing for end-to-end customization, they probably don’t have a great understanding of your operational environment or are eager to trigger cost escalators.
On the other hand, if they insist that their offering is perfect for your uses, straight out of the box, they may not be paying sufficient attention to your described needs or may feel ill-equipped to handle the support and maintenance demands of a unique implementation. In either case, it’s not a good sign.
You’ll want a vendor that is really committed to working with you and willing to together explore options. Of course, and it bears repeating, to properly guide that exploration, you’ll yourself have to have a really good handle on your needs.
3. BYOD, Security, and Data Breach Implications
IBM and Ponemon Institute recently calculated the average healthcare data breach costs to be $380 per record. While the average global cost per record for all industries is $141, healthcare data breach costs are more than 2.5 times that global average.
With smartphone and tablet use growing among nurses, doctors, and other hospital employees, one of the fastest growing threat vectors in cloud security is unintentionally risky employee behavior. The fear of insiders exposing patient data through cloud-based compromise is far greater the wider and more accessible the data systems and applications become.
Intentional or not, internal breaches can cost the organization hefty fines and damage its reputation forever. As such, it’s important for the hospital’s security team to be vigilant at all times, controlling access based on role and authorization, and monitoring network traffic down to layer 7. Similarly, smart organizations will limit external data storage and have well-defined and governed processes for tracking and managing those instances when it’s allowed — including BYOD .
Multi-factor authentication (MFA) can also be the critical security component on the user’s side. It adds a supplementary layer of protection to system access. In addition to a regular password, the user gets a disposable key on a private device. The account is sealed off, and the user is sent a notification in case a break-in is attempted
What Lies Ahead for Hospitals Pursuing Cloud Transformation?
If your healthcare organization’s digitization strategy includes a cloud journey, it’s probably a good thing. At the same time, you’ll be mistaken if you’re expecting that journey to be simple or quick. There’s a lot to bear in mind and a lot of ways in which a good idea can go sideways. If you can’t proceed with confidence in your cloud deployment’s compliance with applicable regulations, the reliability of associated partners, and the security of resulting dataflows and architecture, you’d be wise to slow your forward progress.
It’s best to work with service/solution providers that can help you create a clear vision for migration and align your own strategies. From there, you can work to make sure that you manage all your data points and support a smooth transition. You’ll also want to prioritize providers who understand the security and are well positioned to discharge any concomitant obligations.
Moving to cloud infrastructure doesn’t need to compromise security. As a matter of fact, leading healthcare organizations tend to embrace advanced, often cloud-based, technologies and models solutions and work with partners that understand and can support not only their technical requirements, but their wider transformation agendas. Take the time to better understand your own strategies and design a cloud model that fits your needs.