by Adam C. Greenfield
As you move away from on-premise for better scaling and security on the cloud, there are some decisions to make regarding your service layer of choice. You’ve seen the acronyms a hundred times – IaaS, PaaS, and SaaS. Let’s talk about each layer and how organizations are integrating each into their digital strategy.
First, let’s make sure we’re all on the same page for definitions and responsibility levels for each layer.
Infrastructure as a Service
IaaS is the lower layer, which gives you a virtual machine or server in the cloud that you have control over and responsibility for - from the Operating System on up to the application. Examples you know are Amazon Web Services Elastic Compute (EC2), Azure Virtual Machines, and Google Cloud Compute Engine (GCE).
Platform as a Service
Developers use the PaaS framework to build their apps. A third party is responsible for your storage, networking and servers. Examples you have probably heard of include Kubernetes, Google App Engine, and AWS Elastic Beanstalk.
Software as a Service
SaaS is an option most companies are now using in some capacity. It uses the Internet to deliver third party apps through your web browser, requiring no downloads, installation or patches. Examples you may be using already include Salesforce, Gmail or Mailchimp.
My first piece of advice is: Don’t let the technology drive your decisions. Instead, ask what your business objectives are.
That’s what should drive your decision. A lot of how you approach this has to do with what you plan to invest in, and how you want to innovate. Most IT departments supporting healthcare organizations today are playing a support role. The business is trying to drive some other kind of value. For most of ClearDATA’s customers, for example, it’s improving the delivery of patient care, smoother billing and insuring of patients, or faster pharma research etc. Understanding the larger business objectives at play is critical to make the “right fit” decision in this landscape.
IaaS and PaaS are powerful layers that have seen significant innovation in recent years, but the reason we talk about them so much in the market is a bit misguided. While people working in healthcare IT are excited about the innovation, it isn’t necessarily driving non-IT outcomes forward for the business. Today, much of the innovation at these lower levels has driven optimization and commoditization, often by large commercial vendors that can do this at scale. For many of the healthcare organizations I talk to, it makes more business sense to leverage third party commercial services, like Arc or Anthos. For customers with internal expertise or substantial cost pressures, the open source community continues to produce several interesting and innovative solutions at these layers as well.
I would caution against a common concern people raise about the difficulty of meeting compliance objectives without running and managing the lower layers of the infrastructure stack. Modern commercial cloud products operating at the IaaS and PaaS layers, paired with appropriate security and compliance automation, can be leveraged to build solutions meeting or exceeding the same standards organizations meet internally where they have to bear operational responsibility for the entire stack themselves. I think for many people, the familiarity with their own infrastructure causes them to overlook at lot of risk there and instead focus on what might be scary in the cloud. It also causes them to wonder if what they want to do, from both an IT and business objective perspective can be secured.
I would urge people to not make tech strategy decisions driven by fear and uncertainty around security and compliance. Most of these tech stacks, even ones that feel very cutting edge, are built on fundamentals that we understand well. When ClearDATA goes to approach something like a new container platform to hold healthcare data, we do it by understanding fundamental components like securing identity and management access, encryption etc. We focus on layering in appropriate technical and administrative controls to deliver state of the art protection for the data entrusted to our customers. ClearDATA understands both the healthcare requirements and the cloud technology deeply to help you build a strategy to be successful in a secured environment.
Ultimately, as the software landscape in healthcare continues to evolve, more opportunities to leverage software directly in a SaaS model will present themselves -particularly in specialized areas ranging from Electronic Health Record systems to new modes of patient engagement. This means that responsible buyers will want to understand the approach to protecting sensitive data entrusted to SaaS systems, and particularly how they can integrate reports and information from their commercial cloud partners into their own compliance programs.
If you leave this piece with one thing it should be if you start to feel uncertainty around security and compliance as you shape your IT strategy, make sure you have the right partners and the right team. Technologies evolve and the details will continue to change rapidly, but the foundations of a successful compliance strategy remain the same. In this rapidly evolving market, having the right internal resources and partners is critical to delivering on the promise of digital transformation for your organization. Leveraging new technologies doesn’t have to be antithetical to responsible stewardship of sensitive data, however it does require the right investments in building a solid foundation.
Talking to someone who understands the pros and cons of each while you share your business objectives is the best strategy to take to drive the best-informed choice for your organization. With IT, security, and compliance teams all playing important supporting roles to the core focus of an organization, getting them aligned and empowering them to be part of the process - rather than a required gate at the end of the process - will help cloud feel less like a technical change and more like a cultural one.