A sliding door bookcase, an old world stone wall patio, giant felt wall art. Ever peruse those do-it-yourself (DIY) websites or magazines and come across such projects and initially think “I can do that,” but then start to question if you really have the skills, tools and time to make it happen?

Many healthcare CIOs are in a similar position now as they consider moving to the public cloud. Certainly, the allure of the cloud in general is strong. Consider the following: healthcare cloud services market is expected to grow from $3.73 billion in 2015 to nearly $9.48 billion by 2020, according to MarketsandMarkets, a Dallas-based research firm.

In fact, the appeal of cloud computing is becoming even stronger attractive as healthcare organizations also are realizing the cost benefits of leveraging the public cloud as opposed to continually spending money to build out the transformer or power capacity of their own private clouds. And, with these benefits clearly established, many healthcare organizations are moving beyond just using the cloud for financial and operational applications and are starting to view the public cloud as a viable option for applications that deal with protected health information (PHI).

Rolling up your sleeves?
The big question for healthcare organization leaders: Should you take a DIY approach or leave the migration to the public cloud up to the experts? While the DIY option might look good initially when comparing the upfront costs associated with using a managed service provider to assist with a move to the cloud, CIOs need to take a step back and consider the following:

Security needs. “When CIOs talk about what keeps them up at night, they always mention security concerns,” said Matt Ferrrari, CTO at ClearData, a Austin-based cloud computing, platform and information security services vendor. “CIOs are deeply concerned about who is accessing their system at a specific time, country, and IP address.”

Indeed, CIOs need to keep their “eyes on everything” to ensure that each piece of PHI data is protected. The problem is that many CIOs don’t really know where to start as they are often working with a complex array of systems that have been acquired through the years.

To protect patient data, however, managed service providers typically automate and apply a variety of compliance and security measures to all PHI. To accomplish this, managed service providers leverage a variety of tools such as application security, identity and access management, network traffic protection, log management, monitoring and alerting, and more.

The level of expertise required. Moving to the cloud also requires the right expertise. While healthcare organizations typically have capable IT professionals on staff, most lack the specific knowledge required.

“The vast majority of them probably don’t know the deep underpinnings of how a HIPAA-compliant cloud actually works. To get an organization’s IT professionals certified with platform such takes a lot of time and money. Just putting one IT professional through a certification course with a public cloud provider costs between $5,000 and$10,000 dollars in addition to the years of experience required,” Ferrari said.

As such, the cost benefits initially associated with the DIY approach can quickly vanish. Even if an organization does have IT professionals in place with the right training, CIOs should consider if they want them spending time on activities associated with migration to the cloud – or if they would be better off using these human resources to focus on more strategic initiatives, Ferrari advises.

The challenges associated with the migration process. The actual migration of data to the cloud presents many challenges for healthcare organizations. As a result, organizations need to create secure migration strategies by leveraging encryption in transit and encryption at rest as the data is migrated or ensure that the organization does not have an outage during the migration process.

“Oftentimes, it’s doing things like ensuring that the 300 clinical users still have VPN connectivity back to the Electronic Medical Record system so that the receptionist at the front desk can continue to service patients without interruption,” Ferrari says.

Business associate agreements burdens. When taking a DIY approach, healthcare organizations need to enter into business associate agreements with all of the vendors that handle PHI including the vendors that provide encrypted back-ups, anti-virus, log-handling and other services.

“Negotiating business associate agreements with 20 to 30 vendors in order to have a PHI-ready environment is a chore. It’s a large hurdle that healthcare organizations would have to deal with right off the bat when trying to migrate to the cloud on their own,” Ferrari says.

Originally published at HealthDataManagement.com on September 18, 2016.