Navigating the Cloud Landscape through a Health, Health Services and Compliance Lens
Dealing with compliance requirements and managing PHI is a game of Jenga. The wrong move and this virtual block tower tumbles. The tabletop that awaits is an unyielding expanse of regulatory audits, fines, and reputational loss. But by acquiring a winning skill set, your organization can create a culture of compliance that really stacks up, and stays up.
What sparks a cloud conversion?
When it comes to making the decision about pursuing a cloud strategy, when does lightning first strike? What are the catalysts that bring healthcare companies to the public cloud? On premises data centers have been the norm for a lot of healthcare organizations. For example, providers run monolithic applications, spin out virtual machines, maintain the data storage environment, and more. They’re also used to a data center’s expense, massive power requirements, consistent maintenance, not to mention the nonstop patching of everything from virtual machines themselves, to the storage arrays, to the hypervisor management systems.
So, what remolds this holding pattern? For instance, a healthcare organization may have a business unit that needs to move very quickly on a project in a way that outstrips the capacity of their on-premises environment. It may be a data-driven research initiative where a hospital organization is trying to understand the patterns of patients within their numerous hospitals. They now find themselves with an urgent need to burst up and maybe out their compute capacity in a way that their data center wasn’t designed for and can’t handle. Ultimately, it’s when companies start demanding more from their technology that they begin to explore the potential of cloud computing.
When you have a wedding reception, you don’t buy the banquet hall
Any big data initiative using an internal data center means the start of a spending spree: provisioning new machines and setting up an infrastructure environment that is built at the maximum capacity of that use case. And then, when that’s not needed, it just lays dormant wasting money until it’s needed again. In the hospital example, the cloud’s capacity can actually scale up, scale down, or scale out at the point in time that it’s needed, and the organization doesn’t have to pay for the compute while it’s idle, waiting for the next research study to happen
Life sciences organizations also have a tremendous need for scalability. Modern clinical trials not only require massive compute capacity, but the computing demand required for them is growing exponentially. A trial may now involve APIs that de-identify patient data sets, machine learning algorithm technology that run that data, data lakes that can standardize disparate data sets, and the capability to do everything across multiple clinical trial locations—all adding up to a gargantuan data processing need that up to now has been unprecedented. In addition, the failure rate for new drugs remains high, which makes the ability to scale down a trial’s compute quickly an essential part of a life sciences’ data management arsenal. It also makes it a vital tool for reducing expenditures. Ultimately, the cloud’s quick scalability and subsequent cost-savings is analogous to the common sense we all grew up with: you turn off the lights when you leave.
The science of compliance
Why does managing PHI feel like it requires a PhD? Properly handling PHI and maintaining compliance in the public cloud requires very specific, constantly-evolving expertise that can only be achieved through continual learning and training. In addition, as a matter of best practice, you should adhere to the Health Information Trust Alliance Common Security Framework (HITRUST-CSF) program, the gold standard for PHI security and privacy controls, as well as comply with HIPAA’s standards for security at the physical, technical and administrative levels.
The brutal truth is, when it comes to managing PHI and maintaining compliance, every healthcare organization is stuck between a rock and a hard drive. As if healthcare organizations’ day-to-day operations weren’t enough of a challenge, they also must develop or acquire the skill set to handle tools developed specifically for managing security and compliance in cloud environments, and these activities must be conducted against the backdrop of the constantly-evolving, healthcare-centric regulations. And “constantly-evolving” is the key phrase. It is the perpetual evolution and expansion of regulations that acts as a disrupter to an already challenging task. It’s like playing a seemingly familiar board game where the “Get out of jail free” card now just assigns you to a work-release program. How can I win if they keep changing the rules!?!
With these complications in mind, a growing number of healthcare organizations would rather use their IT resources for innovation, not continuous security and compliance.
And when they outsource those responsibilities to a healthcare cloud specialist, they do so with a sigh of relief.
Adopting cloud initiatives: enlisting the top brass
Top management wants to make sure they accomplish their business objectives, but for most C-suiters, their business objectives aren’t necessarily IT, compliance, or security objectives. Payers, for example, have business objectives, such as attracting members, improving member experience, etc. that are high level/core mission. On the other hand, IT has much different initiatives, such as managing data, keeping capacity at the optimal size, and the like. To convince non-IT chiefs that a cloud initiative is a good idea, the champion needs to understand how the cloud can enable and empower the broader business.
The shrewdest IT executives will bring a use case to their C-suite and say this is how we stay ahead of things, this is how we offload or transfer some risk, and this is how we innovate without having to worry about those blocking and tackling items that don’t add any value to our core mission. If the company’s high value goal is creating a better user experience, the CEO would like to hear you to make the case that the cloud can foster innovation that can translate to the nimbleness that addresses that challenge.
Once you talk about the big advantages, you can focus on how individual departments can benefit. For example, specifically tailor the cloud’s up-side for the CFO by underscoring the reduced amount of expenditures for infrastructure. And since avoiding risks can be a big part of improving the bottom line, talk with regards to compliance, privacy, and security, and how you can offload certain amounts of those related risks by working with an experienced cloud partner.
It’s important to understand a Chief Medical Officer’s concerns so you can better frame your case for cloud adoption. A CMO’s main objective is to make sure healthcare delivery and healthcare quality is at the optimal level. To this end, they want to make sure they have all the tools, strategies, and knowhow for successful outcomes. To convince a CMO of a cloud strategy, you must talk about using big data, data lakes, and machine learning—and what each of these services in the cloud can bring to the table to help unleash the power of the data they already have. Ultimately, you must stress how that reincarnated data can improve patient outcomes while managing costs and even finding new revenue centers.
Framing the Cloud Adoption Argument for Different Healthcare Sectors
- For executives at healthcare providers. Providers are being pressured more and more with tighter margins, while being tasked with the progressively more difficult job of maintaining an outcome-based model. It’s key that you underscore that a cloud initiative can help provide new and better opportunities to accomplish their goals and also drive down costs.
- For executives at healthcare payers. Payers share some of the same pressures to increase efficiencies and reduce costs. You may choose to frame your case as an either/or argument: do we adopt cloud capabilities that can remove many of the limitations imposed by our previous technologies or do we hire a legion of internal engineers, assuming we can find and attract them? Where will our investment produce the greatest results?
- For executives at healthcare IT organizations. This is a broad category, so it’s best to present the case so it aligns to your specific business goals. If you’re championing cloud adoption at a healthcare IT organization that is servicing covered entities and owns a data center, and your proposal doesn’t necessarily align with what the business needs to think about from a future perspective, it’s a tough sell. On the other hand, if an executive comes in arm-and-arm with a cloud provider and a proposal that focuses on healthcare innovation, it’s a tremendous advantage. You improve your chances of convincing the C-suite if your potential cloud partner has a history of enabling, empowering, and delivering innovative products in the cloud. Acceptance is more likely if executives know that there’s going to be a cloud services partner along with them to make sure that everything is done right.
How a cloud specialist can help others see the light
To elaborate further, sometimes leveraging the expertise of an organization that specializes in the cloud’s capabilities, particularly as they relate to the healthcare industry, can build confidence with skeptical stakeholders. An experienced cloud services provider can bring an insider’s perspective to adding value, showing the value, and demonstrating the value to each executive, one by one. There is uncertainty in change, and a tried and tested potential cloud partner can’t just clarify the benefits it provides, but also show that its services will not be more difficult for the healthcare organization than the ones it already has in place.
For example, the potential cloud partner can show stakeholders the value in how it can protect the privacy of an organization’s data by elaborating on how its compliance environment is designed to foster further compliance within the organization—transforming compliance from an afterthought to part of the culture. The cloud specialist could also demonstrate the security apparatus’ auto remediation strategies and technology that fixes things that might be configured in a way that could lead to a bigger issue. And as a closer, the cloud provider can discuss one of the cloud’s marquee benefits—its power to provide the agility that healthcare organizations need—and demonstrate how that can be applied in each business unit to add value.
Addressing the Multiple Unique Concerns of a Multi-Cloud Environment
The research firm IDC has predicted that 90% of enterprises will be using multiple cloud services and platforms by next year. Unfortunately, the healthcare industry has IT talent challenges—whether it’s finding qualified IT professionals or retaining them—so hiring IT experts who can work across multiple cloud platforms will provide an additional complication. Healthcare also suffers from a talent drain dilemma where anybody who gets a specific certification in a cloud technology is likely to get poached, or leave for the innovative high growth companies that can launch them to the next level. If healthcare organizations want to use a multi-cloud strategy, or even a single cloud strategy, they must leverage the partnership ecosystem. You can’t sail a naval vessel around the world without a shipboard watch. You need a team on active duty to make sure the journey is a success.
- Unique multi-cloud challenges for payers. You may have a particular system that is not compliant with other systems. You may have one team that is working toward one set of initiatives only to be met with a different cloud, managed by a different team on another set of initiatives. With some payers, multiple cloud solutions are happening all around them. It’s essential to make sure there’s one pane of glass for all these clouds and that the overall strategies align across multiple cloud environments. For example, if you are a compliance officer, you really do need to know how compliant your clouds are—but how do you do that if you don’t have some kind of extraction of system data telemetry that allows you to visualize the compliant state of all the different clouds you use? Despite this difficulty, there are seasoned cloud services providers that have the expertise to help ensure compliance—but trying to put that together yourself is very difficult.
- Unique multi-cloud challenges for providers. Providers often wrestle with some really old architected infrastructure. Providers have networking challenges that make them hesitant about using the Internet without funneling all traffic through a central point – much like a telecommunications model. In addition, their legacy systems incorporate some of the legacy types of identity and access management systems that are very difficult to integrate across a multiple-cloud environment. Providers must deal with huge progress delays because of some of the architectural decisions and architectural implementations that have occurred over the past twenty years.
Managing PHI in the cloud: when the learning curve is really a curveball
There’s a difference in managing PHI in a cloud environment and managing it securely and compliantly.
Even magnificent companies that offer wonderful products and services often fail to protect PHI. Some of the richest banks on the planet have suffered at the hands of malicious insiders who walked off with their data. Healthcare organizations have to continue to focus on the basics with an increased concentration on automation in the effort to remove the individual from that environment as much as possible. The cloud can help you realize great efficiency gains, but unless you are an automation, security, privacy, compliance, and cloud expert—where you can predict the behavior of the remediation of someone’s actions with pinpoint accuracy in real time—it is difficult. Chris Bowen, Chief Privacy and Security Officer and Founder of ClearDATA offers this precaution, “The tooling to protect PHI In the cloud is quite advanced from just a few years ago. Managing PHI securely and compliantly takes focus, it takes constant investment, it takes amazing drive and grit to do—and it’s a very steep learning curve to do it correctly.”
You must unlearn what you have learned
During the migration process there’s a lot of old-time know-how providers, payers, and healthcare IT organizations must unlearn. A company—especially one in the early stage of its cloud journey and relatively new to cloud economics—will take the approach of lifting and shifting their monolithic application into the cloud. It hasn’t been re-architected, just heaved into the cloud. Soon thereafter, the company finds out the application is really not benefiting them much more in the cloud than when it was in the data center in their basement. The computer storage networking of yesterday is not the same in any way, shape, or form as it is today, and memories of it should be allowed to fade.
How are things different? Cloud services take the traditional foundational elements and change them so they can be rearchitected in a way that’s very specific to your application. It has to be reconfigured to run in the cloud—able to scale up, scale down, and scale out if necessary. You must take your use case and architect it in a way that’s useful in the cloud. The cloud security architect is really an essential component in this journey. Often traditional IT teams naturally think about the security tooling they’ve used for decades in an on-premises environment. But today, Privacy by Design and Security by Design must be central to your planning. If you aren’t sure how to do that, an experienced, healthcare centric cloud services provider can offer professional services to assist with migration planning.
The adoption of the cloud is now past the tipping point—that moment when a technology goes from emerging to mainstream. Organizations across the whole healthcare spectrum are traversing the cloud landscape. But it’s more than that—how you navigate your cloud journey must take precedence. It has to be done in a way that is safe, secure, cost-effective and helps you keep your data protected.