If you asked a CIO managing IT for a healthcare organization in 2012 how much of his software ran in the cloud, the percentages would have been low. That’s no longer the case as 2016 nears. Emboldened by agreements to adhere to federal guidelines for protecting personal healthcare information (PHI), hospitals are a turning to cloud computing to make their organizations more nimble. Healthcare CIOs, mirroring their counterparts in corporations, are taking the cloud mainstream.
The difference between 2012 and 2015 is largely one of vendors’ willingness to sign business associate agreements (BAA) regarding personal healthcare information, or PHI. Under the federal HITECH Act, cloud vendors’ handling and use of PHI must comply with privacy and security mandates ordered by the Health Insurance Portability and Accountability Act (HIPAA).
CIOs say cloud vendors initially refused to sign BAAs, which require them to be subjected to audits by the Office for Civil Rights and explain in detail how they will report and respond to a data breach. But in late 2012, Microsoft formally agreed to sign BAAs. Amazon Web Services and Google followed suit in 2013. Suddenly, going to the cloud was possible, even preferable, for hospitals seeking to become more agile by ditching their on-premises infrastructure and tedious application management.
“Amazon wouldn’t sign a BAA in 2012,” says John Halamka, CIO of Boston’s Beth Israel Deaconess Medical Center (BIDMC), speaking of his own experience. “Today, getting BAAs are no longer a problem … healthcare is now very comfortable using Amazon.” Halamka’s begun replacing physical servers with cloud services from AWS, which has agreed to provide BIDMC-adequate levels of physical and logical security and documented processes that comply with HIPAA’s regulations. With healthcare accounting for roughly 17 percent of the U.S. GDP, it makes sense for AWS and its rivals to court healthcare, he says.
It also make sense that hospitals, under pressure to deliver better patient outcomes at lower costs, adopt modern technologies that help them meet their goals. Healthcare organizations “are looking at the business and outcomes of healthcare and looking to technology as a way to be more agile,” says Steve Halliwell, director of healthcare and life sciences at AWS. “They’re trying to enable transformation for their business to happen more quickly and the cloud is providing them the opportunity to do so.”
Goodbye Data Center?
CIOs are increasingly procuring cloud infrastructure, storage and application services in lieu of managing data centers and implementing and upgrading software. Although BIDMC uses 30 AWS virtual machines today to operate its software development and test environment, Halamka estimates he could eventually shutter his entire data center, replacing 200 servers with AWS virtual machines. He says BIDMC staff are also using cloud applications for learning management and electronic healthcare records, and is testing Slack, HipChat and other tools for one-to-one and group communications. It’s incumbent on CIOs to find tools that enhance employees’ productivity.
Cloud brokering is happening elsewhere in healthcare, where CIOs are exercising the additional due diligence in embracing hosted software in the face of stringent regulations. Creative Solutions in Healthcare is running 100 percent of its infrastructure in a VMware public cloud, says Shawn Wiora, CIO and CISO of the Fort Worth, Texas, nursing home provider, which has 5,000 patients.
In preparation for a move to the cloud in 2014, Wiora compared documentation for both HIPAA and the HiTECH Act, and created a row in a spreadsheet for any technical requirement he needed to address. Then he presented it to VMware with the understanding that their co-signed BAA would include anything from documented processes for how VMware would dispose of storage disks to breach notification and encryption. Since switching to VMware last year, he’ dramatically reduced his infrastructure costs, as well as the time and maintenance required to maintain servers. “We’ve got a really good handshake across the BAA and a great relationship,” Wiora says.
Yet Wiora is convinced he’s an outlier. He says that many of his CIO peers still operate under the assumption that stringent HIPAA rules make it nearly impossible for healthcare organizations to adopt cloud services. He argues that “risk mitigation is much better with a cloud provider,” which can provide better security assurances than most hospitals. In addition to VMware, he’s using between 15 and 20 software-as-a-service apps for capabilities such as service management, single sign-on, human resources and electronic medical records.
Does agility trump regulatory risks?
For other healthcare CIOs, the business agility of cloud outweighs the risk of regulatory noncompliance. Partners in Health CIO Dave Mayo in 2013 began using Microsoft Azure and Office 365 to ensure that the nonprofit organization’s 17,000 clinicians, which provide healthcare services in such impoverished countries as Rwanda, Haiti and Mexico, could reliably exchange information, including X-rays and other digital images. “Email is our supply chain,” Mayo says.
Partners in Health previously used six disparate email systems, supported by a hodgepodge of servers battling to survive in hot climates. It couldn’t afford to build and staff data centers, let alone get support from high-tech vendors in such far-flung regions.
The cloud was the only answer. “We needed one platform to help unite the organization so that clinicians in the field didn’t have to worry about technology,” Mayo says. Mayo says that although the countries Partners in Health serves are not subject to HIPAA laws, he’s signed a BAA with Microsoft to ensure that the partners comply with HIPAA terms. “You don’t have to be HIPAA-compliant in Malawi, Africa, but we are.” Why? It’s just good practice, he says.
[ Related: Could better user design unlock EHR potential ]
BIDMC’s Halamka says it’s inevitable that more of his peers will move to the cloud. As healthcare adopts more cloud software, vendors won’t hesitate to sign the necessary BAAs.