Cloud Computing Brings Challenges for Health Care Data Storage, Privacy

To learn more about the state of cloud computing in the health care industry, eWEEK talks with Chris Witt, president of IT provider Wake Technology Services, about how health care companies should approach cloud computing.

As health care companies grapple with whether to adopt cloud computing platforms to store patient data, providers face many choices on which services to choose and how to keep data secure.

A recent report by CDW found that health care companies are hesitant to adopt cloud services due to privacy concerns.

To get some insight on the state of cloud computing trends in the health care industry, eWEEK spoke with Chris Witt, president and co-founder of Wake Technology Services, an IT services company based in West Chester, Pa., that serves the health care, government and education sectors.

Prior to joining Wake, Witt worked as an IT engineer and project manager for a community hospital in Indianapolis, as well as health networks in Northern California and Ohio. Witt discusses cloud computing in health care in the age of meaningful use.

eWEEK: How does cloud computing affect achievement of meaningful use of EHRs?

Witt: Cloud computing is a facility for potentially reaching meaningful users in a number of ways. Historically, hospitals have never been very good at providing data center services. They can provide it, but keeping things running 100 percent is not something hospitals are very good at doing. In the past, that's been fine because IT departments in hospitals were delivering information. That's changing. And that actually started to change when PACS [picture archiving and communication systems] became prevalent across the different health care systems where hospitals were dumping their films in preference for displaying PACS images, whether it be diagnostic or readings stations. So that's when the evolution or revolution began. And now with the government mandating HITECH and pushing meaningful use, which soon will be mandated, it's now forcing these health care organizations into being a little bit closer to patient care.

Actually a lot closer to patient care, which if I was a health care CIO in a typical hospital, would scare me to death because they're not prepared for it.

With self-care organizations, data center services are not prepared to provide the high availability and the resiliency for applications being delivered to directly impact patient care. So there's a patient safety issue at hand here.

The appropriately selected cloud provider can provide the near 100 percent availability that's required for a patient care application. So that's how a health care organization can potentially use the cloud and justify the use of a cloud when delivering all of these different applications that are bundled under what we call meaningful use-whether it be health record, medicine administration, things like that. They're all very important components.

eWEEK: How does a health care organization determine if the cloud is right for them?

Witt: First off it's going to be technical. You don't see a whole lot of IBM z10s provided out in the cloud. So your majority, if not all of your cloud providers, are really going to be in the realm of Windows and Linux.

If you have key systems that are being hosted internally by the Windows or Linux platforms, then a move to the cloud is very doable. If you don't, you were probably not a good candidate for the cloud. You might be a good candidate for managed hosting, which by pure definition is not the cloud. It is a different method. The result is the same, but it's not a true cloud.

So an organization first needs to look at, is it technically feasible. That's a simple analysis based on operating systems. Secondly, does it make sense. Does a health care organization need a cloud to be able to provide a level of security, uptime, resiliency and redundancy to maintain that application delivery as close to 100 percent as possible.

There will be costs involved in the SLAs [service level agreements] the clinical community are going to be demanding as they're forced to use these applications in delivering their services. Nine times out of 10, moving stuff offsite is going to be more financially attractive than trying to build out your own organization in-house.

eWEEK: Which cloud platforms do you recommend for health care organizations?

Witt: Ones that have been in the health care business already-meaning the third-party vendors who currently host health care clients' data and systems. That would be ideal, only because they're in a situation where they've been there, done that, so they understand some of the nuances with health care, some of the HIPAA issues that go along with it. They understand the true meaning of uptime requirements, especially when it relates to health care.

Also, due to a number of reasons, I would absolutely do due diligence to make sure they're financially sound and reputable. The last thing you want to do is move a lot of your processing to a third party and find out that they're either going to be acquired by [a company] who you don't necessarily want to be a partner with or are just going to dissolve. Because at that point you have even bigger problems, especially when it comes to potentially getting data moved and instances moved in a timely manner.

eWEEK: How do you maintain compliance with HIPAA privacy regulations when implementing a cloud infrastructure?

Witt: Ideally, you would encrypt all your data from end to end. All data stored and moved, you store it on the back-end system and then move it from the back-end system to the user's desktop, or the device would be encrypted. The problem is, that does not exist today. There are definitely some HIPAA regulations that come into play here, such as auditing. Some basic auditing. At any particular time a hospital or health care organization needs to know who can potentially have access to data. That's in a couple of different ways.

Your high-risk area is an individual on the staff of the cloud vendor who can gain administrative access to a server and potentially access data. That's problematic. Also, you don't necessarily know where that data is. That is also problematic because, due to the nature of cloud computing, data can be moved anywhere around the world. You don't necessarily know where that data is, so that becomes a little challenging, and in some people's minds can be the showstopper as well.

Because regardless of what happens, the hospital is always going to be the one in the headline when a breach occurs, regardless of whose fault it is, and no hospital in the world wants to see that. That's just a bad PR move.

eWEEK: What steps should be taken to prepare for a migration to a cloud platform?

Witt: In health care the idea of stand-alone silo application is a misnomer. All these applications talk to one another, typically through an interface engine of some kind. So there's a lot of demographic data, there's test data, there's other financial data that's moved in and around in between these systems. So No. 1 you need to completely understand the requirements of what we'll call an application. Who accesses it, what interfaces are involved, what maintenance is involved, things of that nature.

Secondly, if it's not virtualized already, they should virtualize it and stabilize it. Make sure there's no problems whatsoever. If they try to do all of these at the same time, you're going to be imposing a lot of risk to the organization. And trying to troubleshoot particular problems is going to be very difficult when you've made a lot of wholesale changes at one time.

eWEEK: How do private and public clouds differ in health care?

Witt: It depends on your definition of public and private. The public cloud is served by an outside or third-party entity. A private cloud is a cloud computing platform that you've built internally in your own data center.

Public is pretty much the focus of everything I've talked to people about. And that is sending your applications and your data to live on somebody else's hardware, and that's what we're really talking about here. And that's where health care organizations get the biggest bang for their buck, because they don't have to have in-house security experts, the operating system experts, the virtualization expertise. All of that is left to the third-party vendor. And frankly they do it better because they can spend the money to get those experts. Health care organizations can't because they're already cash-constrained due to a number of other reasons. Their core business is patient care, not delivering IT services.