Seeking Safety in the Cloud
by TRIONA GUIDRY
As cost savings and a scarcity of qualified network engineers drive hospitals of all sizes toward cloud computing, could a future of mega datacenters be far off?
Cloud computing is here to stay. With healthcare spending on cloud computing predicted to surpass $1 billion by 2013, the question is no longer whether or not hospitals should use the cloud, but how they can secure it.
While most organizations have chosen private cloud services, some have found ways to use public variations without losing control of their data. The University of Pittsburgh Medical Center has more than 54,000 employees and includes more than 20 hospitals, 400 doctors’ offices and outpatient sites, and myriad other services.
“(Data storage) is a changing landscape,” says John Houston, UPMC’s vice president of privacy and information security. “We have an on-premises data center which provides our private cloud, because if at all possible, we prefer to host our own services. That’s not to say we don’t go out to industry...but we find a higher level of stability and availability.”
The future of cloud computing could see large-scale computing housed in mega datacenters, with local IT people interfacing between the customer and the mega datacenter.
UPMC underwent an “IT transformation,” forgoing a new, $80-million data center in favor of private cloud architecture. As a leader in clinical information systems, they found their storage needs rapidly outpacing their support capabilities. Through a $402-million partnership with IBM, UPMC migrated to a dynamic architecture that can grow with the health system’s needs. The project reduced their Unix servers from 162 to 14 and Wintel servers from 1200 to 16, with corresponding reductions in power and space requirements.
Security was a major factor in the decision to go private. Still, Houston says there is a place for public cloud technology in hospitals. “If we can’t run service in-house, and there are host of reasons we might not, we have the vendor deliver services via the Internet.”
Making the Transition
The experience has been similar at Advocate Health, the largest integrated healthcare system in Illinois. Advocate has more than 30,000 associates and 250 sites of care. “We really want to get out of the data center business,” says Bruce Smith, senior vice president of information technology. “It’s becoming more complicated and expensive, and the network engineers you need to maintain that kind of environment are becoming harder to find. We’re looking for every opportunity to go to more cloud computing because it’s more economical.”
Several years ago, Advocate moved clinical systems to a private cloud anchored by a data center in Kansas City. Smith explains, “At the time, the platform we were on was going out of support, and the upgrade cost was in the $15- to $20-million range. We had six network engineers, so as we started looking we felt we were short on expertise.”
Cloud computing allowed Advocate to avoid capital expense and gain the vendor’s technical skills. “Ironically, customers saw faster response times from the Kansas City datacenter than locally. It worked out well and we’re comfortable,” Smith says.
Last year Advocate moved its email and calendar services to a Microsoft-based cloud solution, for many of the same reasons. “They can run it more efficiently,” Smith says. “We have front-end security at Advocate that we use to authenticate and check everyone out, and we have secure pipelines.”
Different Sites, Different Systems
In smaller hospital systems, the challenge is meeting demand while streamlining costs. “I’d match the talent of our team against anybody, but we don’t have enough resources,” says Chuck Christian, CIO at Good Samaritan Hospital in Vincennes, Ind. “We’re challenged with everything in a community hospital.”
With 250 beds and an IT staff of less than 25, Good Samaritan’s environment may be smaller but the issues remain the same. “We’re all concerned about turning loose control of the data, even in a private cloud,” says Christian. “In moving our email to a cloud-based solution, I had to ask ‘How does that work if it’s being handled by the cloud? How can I secure it?’”
“We really want to get out of the datacenter business. It’s becoming more complicated and expensive, and the network engineers you need to maintain that kind of environment are becoming harder to find. We’re looking for every opportunity to go to more cloud computing because it’s more economical.”—Bruce Smith, senior vice president of information technology of Advocate Health, which has 250 sites of care throughout Illinois
Christian relies on outside security experts to bolster the talents of his in-house staff. “Most of my tech team wear multiple hats, so I have to make sure they are as up to speed as they possibly can be on threats and mediation of those threats.”
Choosing a Partner
Reliability of vendors is a key question. Houston of UPMC says, “The majority are committed to security, and good operations, and to providing service in a credible way, but the minority make it difficult for the rest of them. We have had situations where (the vendor) looks very credible, but once you look under the covers it’s three or four people running the service from a server under a desk.”
That lack of transparency makes it difficult to know which vendors to trust. Experts encourage hospital systems to hold vendors accountable, asking for specific information about their internal infrastructure and data recovery plans and requiring audits as part of the agreement.
Houston would like to see a certification process for vendors. “It would be great if there was a method by which vendors could attest (to their products) in a way that any provider could rely upon it, like a Good Housekeeping Seal of Approval,” he says. “There are standards, but I don’t know if they go far enough. We try to impose contract terms in our agreements with cloud vendors that require them to test programs and make sure security updates are installed within so many days of availability, but it can be a big fight to get them to do that. As an attorney I do most of our IT legal contracting. You have to stick to your guns and try to negotiate.”
Christian of Good Samaritan wonders about the commitment of vendors to their products. “Companies... get into the market then decide it’s not a core business and get out,” he says. “If we go down a path and we move storage into the cloud, I need to have some guarantees that vendor will be there long-term.”
Evaluating Cloud Stability
In recent months, cloud outages at big-name vendors like Amazon, Microsoft, and Google have caused some to wonder if we’re putting too much in the cloud too fast. “As you get into the cloud one of the biggest issues is control,” Smith of Advocate says. “You’re sharing control with a vendor, so you are somewhat at the mercy of their ability to provide the service.”
“The majority are committed to security, and good operations, and to providing service in a credible way, but the minority make it difficult for the rest of them. We have had situations where (the vendor) looks very credible, but once you look under the covers it’s three or four people running the service from a server under a desk.”—John Houston, vice president of privacy and information security, University of Pittsburgh Medical Center
Among the threats to cloud security, consumerization of IT is perhaps the fastest-growing. While tablets, smartphones and other mobile devices offer greater access to the cloud, those capabilities come with the price of vigilance.
“We’re only in the infancy of how these devices are going to get used,” Houston says. “In a perfect world, not only would we have password protection and encryption, we wouldn’t have persistent data on devices, so that no matter what happens there’s no chance that data could end up being lost.”
The team at Advocate is trying to figure out how to transition to the mobile environment. “We used to supply desktop computers with a certain configuration. Now people are coming in saying they don’t want a desktop, they want a laptop or a netbook or an iPad,” Smith says. “We know we’re going that way—there’s no way to stop it.”
At Good Samaritan, Christian takes consumer devices in stride. “If they want to connect, they have to follow our rules, same with remote access to email. We’re doing everything we can think of right now, but there has to be a balance between what you can do and how much it costs.”
A Common Variable
The three experts stress the importance of education for employees and IT staff alike. Smith says, “The main thing we’ve found with customers is that some people just don’t view their password as important. They share it with other people or write it down. We spend more time training so they understand the importance of password protection and identity.”
Christian emphasizes annual education for all employees, plus an intense training process for new hires. “We stress to our employees that we’re stewards of our patients’ info, and we have to be good stewards and make sure we don’t purposely or inadvertently release that info.”
Passwords remain a weak link in the security chain. Storing data in the cloud makes credential management more crucial than ever, and hospital systems are looking beyond traditional passwords at single sign-on portals, and other means of managing customer identity across multiple platforms and services. Smith says Advocate is “introducing a new portal that isn’t single sign-on but does take into account the majority of apps people tend to use.”
But, he says, they have so many services that a single solution is impractical.
Emerging security threats mean continued diligence for the IT teams in the trenches. One of the most troubling is the proliferation of APTs—advanced persistent threats. These are highly targeted attacks that tend to operate under the radar of most detection tools. “APTs are designed to be very focused and might not show any signs,” Houston says. “You need good security hygiene, solid perimeter security, next-generation firewalls. If you do everything really well your exposure is much less, but there’s still a risk.”
“I’d match the talent of our team against anybody, but we don’t have enough resources. We’re challenged with everything in a community hospital.”—Chuck Christian, CIO at Good Samaritan Hospital in Vincennes, Ind., a 250-bed facility with an IT staff of fewer than 25
Other threats include everything from distributed denial-of-service attacks to hacktivism. Attacks are increasingly sophisticated, targeted, and cloaked. Astonishingly, public cloud infrastructure may actually serve to help cybercriminals, because the widespread availability of such services means that anyone with a credit card can use a public cloud to launch attacks on legitimate cloud customers. Meanwhile, hospital IT systems can become so complex that it becomes difficult, if not impossible, to track every single resource. This can be complicated by a lack of transparency on the part of vendors in a mixed environment where hospital systems may own some, but not all, of their critical infrastructure.
What about the future? “We’ll see large-scale computing in mega datacenters, and more effective cost- and service-oriented providers,” Smith suggests. “Local IT people are going to manage those relationships and do the interfacing between the customer and the mega datacenter.”
Houston predicts, “Every clinician will carry around a pad or device that will drive their workflow. The form factor will fit in the pocket of a lab coat and will have a user interface that is incredibly rich in high-quality data accessed in an intuitive way.”
As for security, Christian cites continued diligence, warning that hospitals shouldn’t get so distracted by other projects that they forget to review policies. “It’s much easier to prevent than to clean up afterwards,” he says.
Smith says, “We want cloud computing to be transparent to the end user. As a customer you don’t care where your data is, you just want great service.”
Miriam Paramore, Emdeon SVP for Government and Clinical Services, praises the reliability of cloud computing for her business model. “The cloud gives you this industrial-strength infrastructure," she says. “It's not something to be afraid of.”
For Paramore's insights into healthcare cloud computing, follow this link.
