Contrary to what some believe, health care organizations can use the public cloud, with the right precautions

Since 2012 three Texas-based health care organizations have merged to create USMD Health System. During the past four years CIO Mike Yerrid has been on a mission to centralize and consolidate IT operations. And a big part of that is moving to Amazon’s cloud.

Yes, as a health care organization, USMD is subject to stringent regulations for protecting patient information, and yes it’s moving to the public cloud. USMD isn’t alone. “Health care organizations are becoming more comfortable with cloud technology,” says Lynne Dunbrack, leader of research firm IDC’s Health Insights practice.

“With the increased threats of cyber attacks, I think that health care providers are recognizing that the cloud service providers know about securing infrastructure and applications and have the resources to do so; more so than their constrained IT staff can handle.”

Two years ago, IDC Health Insights surveyed health care IT providers and found that 87.5 percent of respondents were comfortable with using cloud technology. The survey of 310 IT pros found that 35 percent of new infrastructure purchases would be made in the cloud. Last year the number rose to 40 percent.

Economies of the cloud

For Yerrid at USMD, the move to embrace the cloud came down to economics. After the mergers, USMD is now made up of two hospitals, four cancer treatment centers and 50 clinician offices. “The reality is capital is being spent on other merger activities – growing the organization,” he says, not necessarily on IT infrastructure.

In Yerrid’s mind he has two choices: Either estimate the needs of his IT infrastructure and front-end the capital expense of buying it; or use a pay as you go cloud infrastructure. Yerrid believes that owning and operating his own infrastructure is just not efficient. “If planned growth doesn’t occur then you’ve overpaid for equipment that you didn’t need,” he says. “If you did measure it right, then you still have to replace it all within a certain amount of time.”

In a cloud model, Yerrid provisions the infrastructure resources he needs based on demand.

“The elasticity of a cloud solution is ideal for a company that is growing,” he says. “We have the ability to turn very quickly.” Without this ability, he says IT can be a roadblock. With the cloud, IT can keep pace with the growth.

First SaaS, then IaaS

The low-hanging fruit for USMD’s cloud migration were SaaS apps. Yerrid implemented a NetSuite accounting system and a Human Resources app from ADP as his first cloud use cases. More recently Yerrid has migrated his practice management system to the cloud. It handles all scheduling, billing and registrations and is the main portal for many of the organizations 1,500 health care workers.

Medical imaging is also being transitioned to be stored in the cloud, including diagnostic X-rays. To help manage the migration, USMD is working with a provider named ClearDATA, which specializes in helping health care organizations migrate workloads to the public cloud while remaining in compliance with health care privacy laws.

The Health Insurance Portability and Accountability Act (HIPAA) is the primary law dictating the protection of health care information. The HITECH portion of the law instituted new regulations in 2009 for health care organizations to protect electronic health data. It now requires health care organizations to inform patients of data breaches and it outlines a patient’s rights.

Chris Bowen, founder of ClearDATA, says there are three main focus areas for HIPAA and HITECH regulations related to technology:

  • Administrative controls: Policies must be in place to determine who has access to what data.
  • Technical controls: Rules must be in place to secure data.
  • Physical controls: Standards for physical access to data and infrastructure resources must be abided by.

Bowen says all three can be satisfied in a cloud environment, with the right precautions. In Amazon Web Service’s cloud, for example, it can be set up so that all activity in the cloud environment is monitored and logged and any unusual activity is flagged and reported, satisfying the administrative controls. All data in AWS can be encrypted and Amazon can provide assurances to customers regarding physical access to their data centers that host their clouds. ClearDATA provides a dashboard for customers to check their cloud-based environment against HIPAA regulations. USMD has signed a contract – named a Business Associate Agreement – with ClearDATA to be responsible for ensuring HIPAA compliance in this cloud-based environment.

Not everyone’s a cloudie

Last year the CTO of another Texas-based health care organization named CHRISTUS Health told Network World that he’s in no rush to move to the cloud. Lynn Gibson, who oversees a data center with about 200 physical hosts running 4,000 virtual machines for CHRISTUS, says, “When you get to be our size you really have to analyze how much control you want to give away to an outsourcer.”

“There are some people projecting that hospitals and healthcare organizations don’t need data centers. I think that’s a little cavalier. If you start doing that you’re giving away control of your patient information and patient data and that’s where the money lies. The key to everybody’s future in healthcare is going to be around the knowledge that you gain out of the data you maintain,” he says.

About the Author

Brandon ButlerSenior Editor

Senior Editor Brandon Butler covers the cloud computing industry for Network World by focusing on the advancements of major players in the industry, tracking end user deployments and keeping tabs on the hottest new startups. He contributes to and is the author of the Cloud Chronicles blog. Email him at and follow him on Twitter @BButlerNWW.

Originally published September 20, 2016 by Network World.