Forecast for cloud computing
Security concerns hinder move into cloud services
Two years ago this month, Modern Healthcare first reported on the status of cloud computing in the healthcare information technology industry, noting there was little awareness of its potential and limited uptake of cloud services in the healthcare IT industry at that time.
Today, cloud’s market share has grown, but only by a smidgen. What has increased much more is the wary acceptance that remote software applications, computing power and data storage systems “in the cloud” are likely to play a larger role in the healthcare industry in the future, according to industry IT experts contacted for this story.
While the novelty of cloud computing is no longer an issue, some IT professionals remain uncomfortable with data security in cloud-based systems, and their insecurity, real and imagined, remains a key barrier to further adoption, the experts say.
In January, the National Institute of Standards and Technology issued a seven-page draft definition of cloud computing, essentially a re-release of a definition NIST scientists had developed at least two years earlier. According to the NIST, to be truly cloud-based, an IT system must have five essential characteristics: on-demand selfservice, broad network access, resource pooling, rapid elasticity and measured service.
According to Gartner, a technology market research firm, the global market for cloud-based computing is expected to grow by 20% a year in 2011 and 2012 (See chart). But the healthcare industry won’t be leading that charge, Gartner says. Only about 4% of overall cloud spending comes from the healthcare industry today, and that share is estimated to increase by less than one percentage point by 2012.
Stephen Stewart is chief information officer for the Henry County Health Center in Mount Pleasant, Iowa, which operates a 25-bed criticalaccess hospital and a 49-bed nursing home, both of which use electronic health-record systems. Stewart expresses considerable ambivalence about cloud-based applications for healthcare.
“Whereas probably a year ago, I’d say, I’m not interested,” Stewart says, today, “I’m paying more attention to it.” The tiny hospital already uses a cloud-based vendor to provide it with twice-a-day data backups, and “I think we’ll move forward on one of our two specialty applications.” Still, his security concerns run deep.
“Where is my data?” he says. “Is it even in the U.S., and within the laws that I know?” Then there comes “that whole question of what is the legal record? Where is my single source of truth?”
Stewart’s bottom line reflects his ambivalence. “As much as I hate to say this, for healthcare, it’s an idea that isn’t quite there yet,” Stewart says. But, “Even for an old dog like me who has their personal biases, it’s a coming trend, and I just have to get comfortable with where my data is.”
Providers have good reason for discomfort, says Michael “Mac” McMillan, co-founder and CEO of Cynergis Tek, an Austin, Texas,-based IT security firm. Cloud computing “is like everything else that’s new” in IT, he says. “Security is catching up.”
“When cloud hit the scene, all you heard about was, it’s going to save you all this money,” McMillan says. “And the truth of it is, it absolutely can. There are a number of benefits with cloud computing. It can make organizations more flexible and efficient. It helps with backing up and all sorts of things.” Soon after cloud first appeared, however, McMillan says, “they started peeling back the onion and found some of these cloud models are not so secure.”
“There is what I call a pure cloud, which is a vendor that aggregates space across multiple data centers,” McMillan says. A pure cloud vendor is not as interested in keeping a provider’s data together as it is in allocating space to store it. “You contract with this vendor and your data could literally be all over the planet. It could be in Russia or the Philippines or in Kansas.”
“One of our customers is waking up to the fact that they’re in the cloud already,” he says. In a routine review of an IT vendor contract, “we just found out (the contractor) outsourced a large part of their data storage to a cloud vendor without telling us. Not only did the initial IT vendor outsource storage duties to another entity, but that entity outsourced the data to another entity,” McMillan says. The provider organization “had no idea their data had been outsourced away and went into the cloud.”
“People really need to look into who their cloud vendor is,” he advises. Key questions are: What is their business model? Do they own and operate their data warehouses or simply act as what McMillan describes as “aggregators” of cloud services, mere middlemen? How is the data segmented?—and whether one entity can see another’s data when both are running on the same servers. Can the cloud vendor even audit access to the data? Do they provide encryption, and who holds the encryption key? Are they willing to own up to their role as a business associate with legal obligations to provide adequate privacy and security controls under HIPAA?
But security concerns, in contrast, pushed Baylor Health Care System toward cloud computing, not away. Michael Frederick, chief infor-