Why Your On-Prem Loyalty is Misplaced
Like any strategic decision, the answer to that question will require leadership to take an honest look at their business needs, their options, and the risks. This article will outline the some of the misconceptions of keeping organizations on-prem and key reasons to consider another alternative.
Misconceptions Around Staying On-Premise
IT leaders who have decided to maintain their on-prem infrastructures usually have strong reasons for staying loyal. The problem is that many of those reasons are based on misconceptions. The following are a few of the myths surrounding staying on-prem:
You have more control
Many healthcare organizations prefer having full control over their data and equipment. They feel more comfortable seeing and touching where their data sits, and they like knowing and training the people who see and touch it. Unfortunately, this often provides a false sense of security. The reality is that in today’s cyber world, it is nearly impossible for companies outside of the tech space to have the knowledge—and the time—necessary to keep their data truly secure. IT equipment in any environment now runs the risk of being outdated and vulnerable on a daily basis. Let’s pick an example; say, your SAN storage devices. While the drives themselves may be encrypted at-rest, how often are your storage engineers checking for 0-day vulnerabilities of the firmware for the operating system on the device?
On-prem infrastructures may give IT teams physical control over their servers, storage, and network, but the real risks have nothing to do with the hardware or where the actual data resides. The threats are more on the virtual and clinical side—an operating system not being patched, environments not being encrypted, malware or vulnerabilities inside running applications, inefficiencies in logging. Ask yourself: Does your on-prem team have the skill set to manage that kind of protection, and can your equipment keep up with new, unknown threats?
Your existing tools and assets can’t be used in the cloud
While it used to be true that certain tools used by healthcare organizations couldn’t be used in the cloud, that is no longer the case. Most pubic cloud organizations have developed deep marketplace capabilities that allow them to serve up most of the security and compliance applications that live inside IT data centers. For example, healthcare organizations that use anti-virus software like Trend Micro or Symantec now have native marketplace applications that can be easily deployed inside of a public cloud ecosystem and will likely manage it more efficiently, all while providing the same interfaces that your team has been used to managing.
You can better contain IT costs
Cost containment is a valid concern when it comes to the cloud. With on-prem data centers, IT leaders know exactly how much capacity they have and have full control over their costs when new needs arise. However, in cloud-based infrastructures, users are essentially given the ability to log into a virtual portal or virtual appliance and spin up unlimited resources. Although this is beneficial for organizations that want to scale, it can pose some real budget concerns when left unmanaged.
However, with the right tools, cloud-based infrastructure costs can be easily contained, usually in an automated way. Both public cloud native tooling, as well as external governing cost optimization tools like CloudHealth, CloudCheckr, and other software tools can provide real-time reports and alerts when a budget is maxed out or exceeded. In cases where an IT team member accidentally tries to spin up more resources than the budget allots, setting appropriate permissions can actually block him or her from doing so. Software solutions, along with internal controls like training and policies, can eliminate any concerns around cost containment. In fact, a properly managed cloud-based infrastructure often reduces IT costs and frees up the IT budget, as you are not spending time and resources on traditional ITIL-based processes such as data center capacity management.
Additionally, the cloud allows you to spin down your compute resources when not needed, something on-prem cannot do, as you must invest in capital expenses regardless of whether you are using it all 24/7 or not. Many healthcare organizations actually schedule time to shut down environments during slower times, such as nights or weekends, depending on the organizational need.
It’s the only way to maintain long-time vendor relationships
A large number of healthcare IT teams have spent years—sometimes decades—developing vendor relationships that they can count on and trust. The thought of dissolving those relationships and starting over can be a huge drawback for an IT leader. Fortunately, that concern is typically unwarranted.
Many of today’s IT vendors have built cloud connectors or cloud capabilities inside of their own software devices and, in some cases, even hardware appliances that go inside of the public cloud data center. This means that healthcare organizations can typically use their vendors of choice inside of their public cloud transformation. Examples of organizations that are deep in healthcare partnerships and have developed public cloud integration include VMWare and NetApp, where you can run the same tooling that your administrators use today.
They may even be able to use the same hardware and software they have always used; they are just pointing it to a new location (i.e., the cloud). In fact, because many vendors offer both on-prem and cloud-based products and services, they are often extremely valuable resources for healthcare organizations that are new to the cloud or want to slowly move in that direction.
It’s all or nothing
One huge misconception among healthcare organizations is that they have to discard all of their on-prem assets in order to take advantage of the benefits the cloud can offer. This is simply not true. Plenty of healthcare companies have moved parts of their business to the cloud, while maintaining other parts of their business on-prem.
For example, many organizations start by using the cloud for storage. In other words, they have maintained all of their on-prem assets; they are just pointing them to the cloud instead of a piece of hardware sitting in their data center. By starting with technology like storage, healthcare organizations are improving their availability, while allowing themselves to shed large software maintenance fees on the hardware appliances over time. Other companies have taken it a step further and are strategically using the cloud for their innovation initiatives. This allows them to dabble in new technologies with less risk and investment, while leveraging some of the competitive benefits the cloud can offer, such as faster time to market.
Truths About Moving to the Cloud
While no strategic decision should be made hastily, there are strong arguments for healthcare organizations to consider moving at least part of their IT infrastructure to the cloud. Key considerations include:
It’s no secret that cybersecurity is one of the healthcare industry’s most pressing issues. Data breaches are reaching all-time highs, and according to research, can cost a healthcare organization an average of $6.5 million. When IT leaders take an honest look at the amount of patching that would need to be done to fully protect their data and their environment, there would be little time to do much else. One report showed by 2020, 70 percent of all healthcare medical devices will be operating on Windows systems that will no longer be supported by Microsoft. Without planned support like patching, these devices will be vulnerable to attack.
Public cloud providers, however, are investing heavily in R&D around security, compliance, and machine learning because it is in the best interest of their business to do so. It is, in fact, one of their core competencies, as public cloud providers now often launch services that are HIPAA eligible immediately. Put simply: tech companies have the expertise and the time to keep up with looming and changing security threats, and healthcare companies that leverage that knowledge can get back to their core competencies and still keep their data safe and secure.
As technology continues to advance rapidly and the demands on IT infrastructures rise, it is becoming increasingly difficult for healthcare organizations to keep their hardware and software up to date. Most companies outrun their 3- to 5-year on-prem capitalizations, and even if a company is able to stay within its projections and get a full return on their investments, refreshing those assets requires a huge capital outlay. They tend to run hardware until it suffers from an availability issue, whether it be security vulnerability that is not remediated or hardware failure itself.
In contrast, cloud-based models provide healthcare organizations with ongoing access to current technologies, unlimited storage, and the ability to make adjustments according to their business needs. Instead of paying large upfront costs for equipment that is only going to depreciate, companies can essentially “rent” their IT infrastructure for a consolidated cost. This monthly, “pay as you use” model is not only easier to budget, it helps healthcare organizations avoid overspending and frees up resources typically used to maintain on-prem capital investments. To avoid using dated infrastructure even in the public cloud, there are development and IT approaches to replace the infrastructure through automation, through DevOps or similar process adoption.
Agility and ability to scale
On-prem assets are limited in their ability to scale and adapt to changing needs—a huge problem for an industry dealing with a tsunami of data and rapidly evolving technology. Cloud-based services and infrastructures, on the other hand, allow organizations to scale on demand, whether they need more compute, more storage, or access to other resources. Although budget and cost controls still need to be in place, the potential for growth is always available, and most resources are offered on a pay-as-you-use basis.
Cloud alternatives also improve speed to market. For example, in a traditional data center environment, a simple IT-related project can get held up in IT for at least 3-4 weeks by the time all approvals, ordering, and provisioning are completed. However, the same project in a cloud-based environment would likely take 1 or 2 days, if not a few hours. While the approval process would remain the same, all resources would be immediately available once approval is given, allowing everyone to get their jobs done faster.
For an IT leader, data center availability is a constant priority. Whether you are concerned about overloading a transformer, a generator that’s down, or a failure at the application level, an on-prem data center needs a rock-solid disaster recovery (DR) plan in order to keep business running as usual. One of the advantages of utilizing the public cloud is being able to build a business continuity plan that only spins up resources on demand if and when you actually need them. Instead of IT teams frantically trying to get their on-prem systems back up and running and determining how much data may have been lost, organizations can work with a cloud service provider to handle any critical situations and resume routine business operations with little to no downtime.
Although many healthcare organizations feel tied to their legacy systems, the truth is that in today’s competitive market, there are real risks to staying on-prem—both from a security and compliance standpoint, as well as from a financial and business standpoint. While not everyone will approach these risks in the same way, the key is for healthcare organizations to make smart, informed decisions that financially benefit their business, keep their data safe, and prepare them for the future.
 Pifer, R. “Data breaches in 2019 already double all of last year,” Healthcare Dive, 2 August 2109.
 Landi, H. “Healthcare data breaches cost an average $6.5M: report,” FierceHealthcare, 23 July 2019.
 Davis, J. “Majority of Healthcare Medical Devices Operate on Legacy Systems,” HealthITSecurity.com, 15 May 2019.