Cloud Basics for Medical Practices: Words to Live By – and Clichés to Bury
Adam Stern | Healthcare Business Today
Healthcare delivery is tough enough; most medical practices would prefer not to wade into the fog of IT, especially given just how obtuse the tech world has become. For those practices making the shift from an in-house solution to the cloud, getting the language right is Job #1. Familiarizing yourself with some basic terminology won’t turn you into an expert but it can provide a grounding in the fundamentals – which can make you into a wiser IT consumer and perhaps a more savvy user.
By the same token, myths and clichés about the cloud – as about any subject — are the status quo’s best friend. It’s difficult to embrace changes in business technology when some of the most basic assumptions surrounding it are obsolete, misguided or simply unfounded. Exploding these fake facts ought to be Job #2.
Let’s look briefly at each, in turn: First, some lingo you’ll need to know:
Public Cloud? Private Cloud? Hybrid Cloud?
As the cloud has expanded, it more or less subdivided – private (that is, proprietary or internal to one organization), public (in which service providers make applications and storage available to any business over the Internet, typically for a monthly usage fee) and hybrid (a blend of both). Put another way, some of your workload is under your control, some outside of your control and some situations mix the two. These days, the hybrid cloud is ubiquitous. The majority of organizations rely on servers and computers, and some data resides on various desktops; some is stored with Apple or Dropbox or Microsoft, and some organizations have embraced Infrastructure as a Service (IaaS) or Software as a Service (SaaS); see below.
The right question isn’t, “Should I go on or off premises? Should I opt for the hybrid cloud, the public cloud, or a private cloud?” The smart question is, “what’s strategically best for my medical practice?” When you frame the query in that manner, you can determine where to place your compute power, and you begin to gain control over the dynamic. Want to reduce costs? Increase efficiencies? Achieve some other objective? Go back to basics.First, decide what your metrics are and how they serve the business – then select the technology.
SaaS, IaaS. PaaS.
At its most basic level, IaaS enables medical practices to move all or part of their compute environment to the cloud (that is, off premises), and to make the migration without modifying any of their existing applications. The market is now awash in IaaS tools and technologies, empowering medical practices that may lack traditional computing resources to benefit from robust products and platforms.
In the mushrooming world of the cloud, IaaS is distinguished from two other “as a service” models – Software as a Service (SaaS) and Platform as a Service (PaaS). Without getting mired in terminology, SaaS is essentially a software rental model, where individual applications are hosted – again, off-premises – for a monthly subscription fee. All users need is a web browser and they’re good to go.
Platform as a Service, PaaS, is somewhat more ambitious while remaining steadfastly user- (and application-) specific. PaaS is ideal for medical enterprises writing applications that are specific to their business – and they don’t need to build and maintain the infrastructure usually required to develop and launch app. PaaS makes it possible, even easy, to develop applications rapidly with little technical know-how – applications that aren’t intended to be sold but that run on a single, captive platform. If the platform for which the app was written changes or ceases to exist, however, users are out of luck. With PaaS, internal development teams are compelled to ride the IT rollercoaster, forever investing and reinvesting in platform-specific application development.
The Mnemonics of Security.
For medical practices operating in the age of HIPAA, security is process, not an event — a mindset, not a matter of checking boxes and moving on, as one might on a medical claim form. As Wired noted following the global WannaCry ransomware attack, “hospitals are the most common target of ransomware — because the stakes are literally life and death, computer users are particularly likely to pay to regain access to their machines.” Sound security planning requires assessing threats, choosing tools to meet those threats, implementing those tools, assessing the effectiveness of the tools implemented – and repeating this process on an ongoing basis.
At minimum, what steps must medical practices take? Measures like clustered firewalls, multi-factor authentication – that is, “layered” passwords — and intrusion detection and prevention systems (IDPS), which go above and beyond traditional firewalls. Increasingly, threats are emanating from Distributed Denial of Service (DDoS) attacks on hosting providers and from massive volumetric attacks. These attacks are something new and particularly troubling, and no single firewall can stop them – especially when the attacks are originate from connected devices.
Clichés and Myths to Deep-Six.
- Fake Fact #1: Cloud security is porous. The fact is, your medical practice – that is, your data — is considerably safer in the cloud than tethered to equipment under someone’s desk. Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. And that’s just for openers.
- Fake Fact #2: Cloud migration means changing your way of doing business. Done right, cloud computing is holistic and transparent (you might even say invisible). That is, a clinic or hospital’s entire compute environment can be placed in – and then thrive — in the cloud, and employees can access applications and data wherever they are. Outwardly, virtually nothing has changed.
- Fake Fact #3: Cloud computing will break the bank. Increasingly, the numbers favor the cloud – and numbers are just part of the equation. Indeed, the cloud has become something of a bargain. Because the cloud requires zero outlay for computer hardware and (typically) modest monthly fees for applications and maintenance – with such under-the-hood essentials as storage, backup, security, disaster recovery, round-the-clock support, etc. baked in – the economic argument is compelling. With depreciation cycles taken out of the equation, compute horsepower truly is a bargain. It’s entirely possible for a small or midsize medical office to spend $10K a month and tap enough compute power to drive a 1,000-user organization – certainly more than most actually need, but a comforting statement about economies of scale.
- Fake Fact #4: The cloud and HIPAA compliance aren’t on speaking terms. HIPAA compliance isn’t optional. And that often means achieving it is viewed as burdensome, a distraction from the core mission of patient care, especially for medical offices of modest size. Because cloud providers are literally wired for security (see Fake Fact #1), migrating to the cloud turns out to be the surest route to painless HIPAA compliance. Indeed, cloud-based HIPAA hosting plans incorporate technologies that fully address today’s regulatory environment, starting with the mandatory HITECH audit, itself organized around privacy, security and breach notification. While medical offices and clinics might be capable of doing various techy things on their own, most would prefer not to do the heavy lifting in-house. And who can blame them?
Even though clichés and fake facts die hard, the experience of cloud migration is proving to be the surest way to inter the myths that hobble progress.