Going sky high
Healthcare accelerates move into cloud-based services
The healthcare industry is gradually overcoming its fears and is—finally— about to get high on the cloud. The array of technologies commonly known as cloud computing are coming into their own in healthcare as a secure, capable and cost-effective means to provision computer hardware, and software and services, despite persistent and still lingering concerns about privacy, security and reliability.
One newer user who’s happy she jumped to the cloud is Terri Kendrick, director of purchasing at Wheaton Franciscan Healthcare system in Glendale, Wis. Three of its 11 hospitals are up and running on a cloud-based, medical/surgical ordering system from McKesson Corp. in a rollout that began in November and should wrap up by October, she says.
“Security has always been an issue,” Kendrick says, so the plan to switch to a cloudbased system was scrutinized. “We talked to our IS department about the encrypting and password protection and we addressed everybody’s concerns.”
While Wheaton’s departing in-house ordering system has 60,000 items, the new cloudbased system has 1.3 million and is growing, Kendrick says, including “300,000 items with our purchase history, pricing and formularies.” The cloud enables buyers to expand their formularies and sellers to grow their product catalogs more quickly and easily.
“If you’re in the OR, you’ve gone in and built a list of your favorites, because you don’t want to access 1.3 million” records, Kendrick says. “So you just select an item and drop it into your shopping cart and it’s done.” The new system also features onboard decision support. “If it’s something that’s not on contract, it will flag you, and because it has artificial intelligence behind it, it will flag you to an item that is on contract.”
For managers, “there is a dashboard that can show that this is a missed opportunity or somebody is doing a bang-up job.”
Kendrick says it’s too early to talk about return on investment in the technology, but “we’re looking to see where those opportunities are.” Todd Tabel, vice president of McKesson’s
supply chain solutions unit, says the software runs in a cloud hosted by Amazon. The online retailer is also a major provider of cloud services. For McKesson today, Tabel says, “well under 10%” of its supply chain software is cloud-based, but “it’s come far enough in terms of adoption, you’ll see quicker uptake in three to five years.”
Ramping up fast
Four years ago, Modern Healthcare took its first in-depth look at cloud computing (Aug. 10, 2009, p. 30). There was much hype but little uptake as providers’ unfamiliarity with the services as well as privacy and security fears held back cloud adoption. Two years later (Aug. 8, 2011, p. 32), in an update, there was more hype, some cloud use, but trepidation remained high.
This year, clouds are sweeping in, primarily used in supply chain, human resources and other business-side areas where little patient information is involved. And while privacy and security issues remain, widespread acceptance— even for clinical applications—seems just over the horizon, particularly in less scary “private clouds.” One market researcher predicts nearly a six-fold increase in cloud spending by 2020.
Flexibility, the ability to rapidly add new software programs and services as needed; scalability, the capacity to expand as healthcare organizations consolidate; and functionality, the power to harness the ubiquity of the Internet, are major cloud drivers, health IT experts say.
Meanwhile, many new healthcare software developers are cloud disciples.
“Cloud computing allows you to scale,” says Siva Nadarajah, CEO of Semantelli, a Bridgewater, N.J., market research firm acquired in April by IMS Health. Semantelli launched its Webbased service two years ago, helping healthcare organizations sift through the flotsam of social media for business intelligence. Building his business in the cloud was the only way to go, Nadarajah says. “The cloud allows you access to the latest version of the software. The accessibility of your software to your clients becomes seamless.”
What is a cloud? It’s not “cloudwashing,” a pejorative descriptor for the all-too-widespread marketing gimmick of slapping the word “cloud” on any old software that touches the Web. Think of the cloud as “a whole collage of technologies and standards,” says Timothy Grance, senior computer scientist at the National Institute of Standards and Tech- nology, who worked on a NIST effort to describe and define cloud computing (See chart, p. 32).
According to technology watcher Forrester Research, cloud computing globally, across all industries, will grow from a $41 billion market in 2011 to $241 billion by 2020. The “private cloud” niche will expand from $7.8 billion in 2011 to $15.9 billion by 2020.
Erik Westerlind, a research director with KLAS Enterprises, which specializes in healthcare IT market research, looked at 16 vendors of cloud services to hospitals. “True clouds” are rare in healthcare, but “hybrid clouds,” used by EHR vendors to host their own systems, were the most common, his research found. Twothirds of his survey respondents who were not using cloud services indicated security was still their big choke point.
Dark clouds remain
The specter of cloud insecurity is not limited to healthcare.
North Bridge Venture Partners, a Waltham, Mass.-based investment firm, in May released
its third annual survey report on the future of cloud computing across multiple industries. In it, North Bridge general partner Michael Skok says the cloud is “on an unstoppable rise.” Of the 855 survey respondents, 65% cited reliability/bandwidth/complexity as main concerns, while 63% identified regulatory compliance and privacy issues.
“Maybe 70% of the organizations we’re seeing are using cloud services of one kind,” says security professional Mac McMillan. “Providers have embraced the cloud when it comes to nonclinical data—supply chain, enterprise resource planning and human resources—things that don’t have the same type of rigor around them in terms privacy and security” as patient medical records, says McMillan, CEO of CynergisTek, an Austin, Texas, security consultancy.
“With clinical data, when it comes to accounting for disclosures and backing up that data, and knowing where it is, that’s when they get nervous about the cloud,” he says. For patient-identifiable information, such as in EHRs, “public cloud infrastructures are just a nonstarter,” he says. “Public cloud vendors rent space from data storage facilities around the globe. You could have some of your data in a data center in L.A., or in Canada, or in Mexico, wherever they have space. Scattering it all over the universe just doesn’t work.”
In contrast, private clouds, which can specify data storage locations, “do have a play when it comes to clinical data,” he says.
Four years ago, Robert Gellman, a privacy lawyer in Washington, in a white paper for the World Privacy Forum, presciently warned of a potential threat from consumer-oriented clouds if an employee “makes an ad hoc decision to share data with a cloud provider” without checking the cloud provider’s terms of service.
That’s a huge potential no-no, because the Health Insurance Portability and Accountability Act, the main federal electronic health information privacy and security law, obliges providers to sign business associate agreements with handlers of their patient data, and also because the terms of service of many cloud providers “allow the provider to publish any information stored on its facilities,” Gellman says.
Late last month, Oregon Health & Science University in Portland announced some physician residents had posted their patients’ data to Google’s cloud-based e-mail and file-sharing services. The data could have been used for “operating, promoting and improving (its) services, and to develop new ones,” under Google’s terms of service, the university statement says. The breach prompted OHSU to mail notices to more than 3,000 patients and report it to the Office for Civil Rights at HHS, the federal enforcement agency under HIPAA.
OHSU spokesman Jim Newman confirmed the university did not have a business associate’s agreement with Google.
Some prominent cloud services vendors are stepping up to meet HIPAA requirements. In April, cloud services provider Box announced it would sign business associate agreements with providers, encrypt healthcare data in transit and “at rest,” and provide audit trails to identify who accesses health records, all HIPAA-linked precautions.
Security worries aside, “healthcare is definitely going to the cloud,” says Kathryn Coburn, a Santa Monica, Calif.-based lawyer specializing in health IT, privacy and security with Cooke, Kobrick & Wu. “That’s what I hear from my clients. This is a wave that’s not going to be stopped.”