Why One Hospital CIO Says He is a Fan of the Cloud

While acknowledging that there are risks, setting standards on security procedures, encryption and transparency makes cloud storage a viable option at one hospital

For a variety of reasons, the cloud is being regarded as an important and growing influence in healthcare. That’s not surprising, giving the explosion of the volumes of electronic data at a time of tight budgets at many healthcare provider systems. Yet even the most ardent proponents of the use of the cloud in healthcare approach its cautiously, weighing its benefits against its risks, and having procedures in place that mitigate those risks as much as possible.

One long-time proponent of the cloud is Daniel Morreale, vice president and CIO at Riverside Healthcare System, a 680-bed provider organization in Yonkers, N.Y. Recently, he spoke with Healthcare Informatics about his organization’s use of the cloud and its future plans.

Moreale makes a business case for cloud use, citing the cost of data storage, which is an ever-present issue. “If I have an opportunity to minimize my capital expenditures, that’s something I am going to look at,” he says. He also notes that the growth of data storage requirements is on a steep curve, which will continue to rise with the growth of picture archiving and communication system (PACS) across cardiology and other non-radiological medical specialties.

He says his hospital system has a goal of eliminating its “massive data frame,” along with its associated power costs, cooling requirements, and capitalization expenses to replace hardware. “If I can get those off my plate and turn those into a relatively low operating expense, I like it,” he says. He notes that he takes a proactive approach to hardware replacement at Riverside, and bases his calculation on a five-year total cost of ownership model.

Morreale says he is open to storing all types of data on the cloud, adding that he has very stringent requirements on how he wants the hospital’s data protected, including encrypting data when it is in motion and while at rest, and providing multiple layers of authentication in order to access it. “With that kind of structure before, I have no issues putting everything on the cloud,” he says.

With that said, he acknowledges that his data can’s be hacked or sold, whether it resides on the cloud or in the hospital’s own data center. “In fact, in many cases the data centers where this data is stored is much better protected than in my own environment,” he says.

Morreale has a long track record in using the cloud. About eight or nine years ago (before working at Riverside), he had used the public cloud (Amazon) to host a health information exchange solution and data. With the Health Information Technology for Economic and Clinical Health (HITECH) Act and stringent requirements on privacy, he pulled back on the use of the public cloud, and opted for the “private” cloud model, with his own VPN and servers that are segregated, so access is limited is restricted. (Currently, Morreale uses Tempe, Ariz.-based ClearDATA, a cloud service provider that specializes in healthcare.)

He adds that cloud storage involves shared risk, and that he makes sure that any vendors that he works with understand that risk. He is “cautiously optimistic about other models of cloud storage such as software-as-a-service (SaaS). He requires those vendors to disclose their security plans and rules and their policies. “I insist that my data be encrypted, both at rest and in motion, which is a show-stopper for many of these smaller vendors,” he says.

Morreale says IT drives the decision to use the cloud, but that it is not solely an IT decision. He includes the hospitals senior leadership, risk management people, and legal counsel in discussions.

One of the most important lessons Morreale says he has learned in using the cloud is not to split the application and the data for that application. Among his early experiences was to run a software application in-house, but decided to store the data on the cloud. “We realized that our ability to restore the data in the event of a problem was not going to work, because it required the company to send my data on disk or tape, requiring a two- or three-day restore time.”