A couple weeks ago at HIMSS, we hosted a CHIME focus group with about twenty CIOs. The group CIOs represented public and private healthcare organizations, children’s and specialty hospitals, academic centers, and large integrated networks from across the country. It’s safe to say it was a broad swath of the provider market. The purpose of the conversation was not to try to sell Datica. Our goal was to have a discussion to gauge readiness, strategies, and maturity of the cloud in healthcare, specifically the public cloud (AWS, Azure, and Google).
Despite the diversity of organizations represented, the feedback and discussion with the focus group CIOs demonstrated consistency of high-level thinking about the cloud for healthcare delivery organizations. We’re sharing our findings from the session because we fundamentally believe transparency in healthcare technology and healthcare on the cloud benefits the entire industry, including Datica. Below are the topics we covered and the salient points we took away.
What is the cloud?
This garnered a lot of interesting responses like “a new way to spend money” and “x as a service”. It’s definitely something CIOs are looking at and, in some use cases, using; but, the universal sentiment was that the cloud isn’t going to solve immediate problems facing CIOs. Another interesting insight was that the cloud was seen as a new way to spend money. In the near-to-medium term, as healthcare organizations work directly with cloud service providers or through partners and business associates that are using the cloud, healthcare organizations are going to be managing both on-premise technology as well as spending on cloud. One quote I wrote down was “you can’t justify the move to the cloud for ROI alone”. One CIO mentioned vendors misrepresent the cloud when they pitch it as a cost savings to CIOs with his comment, “cloud providers have to make a margin”.
What are the major roadblocks to the cloud?
The major roadblocks to the cloud elucidated were competing priorities, security (more on that later), and human capital. Given the consensus of the cloud having a questionable ROI, or a long-term ROI at best, it makes sense that it’s not high on the priority list for CIOs when the majority of their resources are still dedicated to the care and feeding of EHRs. Additionally, we’ve discovered in other conversations that the human capital CIOs do have aren’t cloud, devops, or dev sec ops experts. One other point of feedback was a loss of control associated with a lack of support when moving to the cloud.
How are you using the cloud today?
With the exception of a couple CIOs mainly representing ancillary service providers, the major use of cloud today were things I’d classify as pet projects, or non-core IT projects. The cloud was being used in innovation, research, and by partners/vendors/business associates. The great cloud migration, or the lift and shift story, is definitely not happening at scale any time soon.
How are you solving security and compliance on the cloud?
There was not a consensus on how healthcare enterprises are solving the challenges of security and compliance on the cloud. Every CIO acknowledged the importance of security but it is definitely something organizations seem to still be figuring out. There were challenges around cloud security that most of the CIOs acknowledged were not solved problems.
How are you validating 3rd party security on the cloud?
This was an interesting one. I’ve always speculated that there is no way for healthcare organizations to effectively assess the security of their vendors when it comes to the cloud. Healthcare security and compliance groups don’t have the resources and cannot dedicate the time to verify everything from vendor policies and procedures to technical configurations. In the world of cloud, this challenge is compounded by the number and dynamic nature of available cloud services. Because of this, I’ve thought HITRUST would succeed as a proxy for bespoke security reviews. To some extent it has and most CIOs at our focus group were considering or already going down the path of HITRUST. But, the universal sentiment we got was that health systems felt they had to be able to do their own security reviews of 3rd parties. They viewed the risk as only partially tied to financial risk of data breach. The major concern we heard was reputation damage to the org and potential scale of a breach on the cloud.
Is Shadow IT a concern at your organization?
Based on feedback we’d gotten during many of our Healthcare Innovators podcasts, we published a report last year on Shadow IT in Healthcare. We know Shadow IT is an important topic for healthcare provider organizations but we wanted to have an open-ended dialog to assess it’s visibility at the CIO level. Almost every CIO in the room expressed concern about Shadow IT at their organization. It seemed like a problem many CIOs had thought about. Some of the major culprits cited werre medical residents. There wasn’t consensus, but one area that emerged is the need for a bimodal IT offering — one for traditional, or core IT, and one for Shadow IT. One interesting sidebar of this discussion concerned what to do about Shadow IT. The consensus seemed to be that stopping it isn’t an option given increasing knowledge of the Shadow IT community and the lower cost and complexity of cloud development. It was suggested that a credentialing process be created to establish education requirements, acceptable tools and usage, reporting, etc. This idea would require a lot of development to be viable, but it has interesting implications.
We gained a lot of value from the discussion and we hope the CIOs who participated felt it was a good use of their time.