While the novelty of cloud computing is no longer an issue, some IT professionals remain uncomfortable with data security in cloud-based systems, and their insecurity, real and imagined, remains a key barrier to further adoption, the experts say.
In January, the National Institute of Standards and Technology issued a seven-page draft definition of cloud computing, essentially a re-release of a definition NIST scientists had developed at least two years earlier. According to the NIST, to be truly cloud-based, an IT system must have five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service.
According to Gartner, a technology market research firm, the global market for cloud-based computing is expected to grow by 20% a year in 2011 and 2012 (See chart). But the healthcare industry won't be leading that charge, Gartner says. Only about 4% of overall cloud spending comes from the healthcare industry today, and that share is estimated to increase by less than one percentage point by 2012.
Stephen Stewart is chief information officer for the Henry County Health Center in Mount Pleasant, Iowa, which operates a 25-bed critical-access hospital and a 49-bed nursing home, both of which use electronic health-record systems. Stewart expresses considerable ambivalence about cloud-based applications for healthcare.
“Whereas probably a year ago, I'd say, I'm not interested,” Stewart says, today, “I'm paying more attention to it.” The tiny hospital already uses a cloud-based vendor to provide it with twice-a-day data backups, and “I think we'll move forward on one of our two specialty applications.” Still, his security concerns run deep.
“Where is my data?” he says. “Is it even in the U.S., and within the laws that I know?” Then there comes “that whole question of what is the legal record? Where is my single source of truth?”
Stewart's bottom line reflects his ambivalence. “As much as I hate to say this, for healthcare, it's an idea that isn't quite there yet,” Stewart says. But, “Even for an old dog like me who has their personal biases, it's a coming trend, and I just have to get comfortable with where my data is.”
Providers have good reason for discomfort, says Michael “Mac” McMillan, co-founder and CEO of Cynergis Tek, an Austin, Texas,-based IT security firm. Cloud computing “is like everything else that's new” in IT, he says. “Security is catching up.”
“When cloud hit the scene, all you heard about was, it's going to save you all this money,” McMillan says. “And the truth of it is, it absolutely can. There are a number of benefits with cloud computing. It can make organizations more flexible and efficient. It helps with backing up and all sorts of things.” Soon after cloud first appeared, however, McMillan says, “they started peeling back the onion and found some of these cloud models are not so secure.”
“There is what I call a pure cloud, which is a vendor that aggregates space across multiple data centers,” McMillan says. A pure cloud vendor is not as interested in keeping a provider's data together as it is in allocating space to store it. “You contract with this vendor and your data could literally be all over the planet. It could be in Russia or the Philippines or in Kansas.”
“One of our customers is waking up to the fact that they're in the cloud already,” he says. In a routine review of an IT vendor contract, “we just found out (the contractor) outsourced a large part of their data storage to a cloud vendor without telling us. Not only did the initial IT vendor outsource storage duties to another entity, but that entity outsourced the data to another entity,” McMillan says. The provider organization “had no idea their data had been outsourced away and went into the cloud.”
“People really need to look into who their cloud vendor is,” he advises. Key questions are: What is their business model? Do they own and operate their data warehouses or simply act as what McMillan describes as “aggregators” of cloud services, mere middlemen? How is the data segmented?—and whether one entity can see another's data when both are running on the same servers. Can the cloud vendor even audit access to the data? Do they provide encryption, and who holds the encryption key? Are they willing to own up to their role as a business associate with legal obligations to provide adequate privacy and security controls under HIPAA?
But security concerns, in contrast, pushed Baylor Health Care System toward cloud computing, not away. Michael Frederick, chief information security officer of the Dallas-based provider, says the organization has spent about $6.5 million over the past five years buying and maintaining an identity management system from Sun Microsystems. After Sun was acquired by Oracle Corp. in 2009, however, “we learned the product family was no longer strategic for Oracle,” which had its own competing product, Frederick says. That prompted Baylor to look at other options, and to settle into collaborating with the Health Information Trust Alliance, or HITRUST, to develop a cloud-based alternative.
Daniel Nutkis, CEO of HITRUST, in nearby Frisco, Texas, says 77% of insurance companies use the HITRUST Common Security Framework to evaluate their security programs for sensitive information. As adoption of its security standards grew, “industry came to us and said, ‘What can we do to improve user satisfaction in the context of improved security?' ” Nutkis says. In response, he says, not-for-profit HITRUST launched for-profit HITRUST Identity Services to provide customers such as Baylor with a cloud-based identity management application. HITRUST runs the service out of a CSF-compliant, third-party data center in the Midwest, Nutkis says. “By putting it in the cloud we could offer it on a more cost-effective, per-seat basis.”
Frederick says the plan is to begin rolling out the cloud-based identity management solution to the system's 5,000 physicians in October and have all 26,000 Baylor employees on it by this time next year. After that, he says, the idea is to offer the system to the entire north Texas provider community. The cost will be lower than an off-the-shelf software alternative, Frederick says, but the driving force behind the switch was physician satisfaction, not cost.
“In Dallas, you could have physicians with privileges at several different hospitals,” Frederick says. That means they need different passwords and could be required to carry different badges to access the disparate systems, a cumbersome requirement that should be eliminated by the new cloud-based service, he says. “I've been in security for 20 years, and this is the first time I've had people banging on my door asking for what I'm selling.”
When Vivek Kundra became the federal government's first chief information officer in 2008, he initiated a “cloud first” campaign asking all federal agencies to consider what government IT services could be moved to the cloud. According to a presentation Kundra made this past April, the government plans to close 137 data centers by the end of 2011 and 800 by 2015 as part of the cloud initiative. One already closed is an HHS data center in Rockville, Md., with $1.2 million in yearly electricity costs.
Kundra also asked NIST to collaborate with the private sector and standards-development organizations to set standards and guidelines to promote the cloud conversion. In February, NIST issued the 60-page Guidelines on Security and Privacy in Public Cloud Computing.
The NIST guidelines didn't sugarcoat any of the privacy and security issues, saying assessing and managing risk in cloud computing systems “can be a challenge.” For example, they warned that “non-negotiable services agreements . . . are generally the norm” among cloud vendors, but negotiation can address concerns about privacy and security details such as vetting of employees with access to data, data encryption and segregation as well as tracking and reporting services.”
NIST noted that Web browsers are a “key element” of access by end users to cloud-based services, yet “the various plug-ins and extensions for Web Browsers are notorious for their security problems.”
Ultimately, according to NIST, “Establishing a level of confidence about a cloud service environment depends on the ability of the cloud provider to provision the security controls necessary to protect the organization's data and applications.” Verification is key and “third-party audits may be used to establish a level of trust.”
Ultimately, according to NIST, it's caveat emptor for a cloud buyer, “if the level of confidence in the service falls below expectations . . . it must either reject the service or accept a greater degree of risk.”
Meanwhile, an updated draft of the Federal Health IT Strategic Plan for 2010-15 issued by the Office of the National Coordinator for Health Information Technology at HHS in May doesn't even mention the cloud. A final plan, incorporating public comments, is due in about a month.
Wil Yu, a special assistant for innovations and research at the ONC, says in an e-mail that cloud-based health IT could help providers meet their meaningful-use targets under the CMS-run EHR incentive payment programs for Medicare and Medicaid.
Cloud solutions “may be very palatable to organizations that currently have very little computing power and financial resources,” he says, adding that rural practices and hospitals “are prime examples of healthcare settings that would highly benefit due to the lack of internal computing power and the need to pay for health IT resources as an operational expense” versus the capital outlay if they purchased and ran those resources in-house.