Something interesting has been happening in healthcare over the last several years. While we’ve been focused on meaningful use, EHRs, and Obamacare, healthcare has quietly started to embrace the cloud. Most of us imagined the cloud onramp in healthcare to be many years away. But it hasn’t been. In many ways, it’s happened the same way it happened in other industries — through data connections between on-premise legacy systems and new cloud-based solutions. Just like many enterprises embraced the cloud over the last 15 years with Salesforce, so too are healthcare enterprises embracing new SaaS-based digital health solutions.
Data is in the Driver’s Seat
Healthcare’s onramp to the cloud is about data, not about lifting and shifting legacy systems out of hospital data centers and into the cloud. And, the nature of the cloud enables a paradigm shift in the types of solutions that are succeeding. Digital health technologies, the major drivers of the future of health IT, are being selected based on the best of breed model, not one size fits all model of the monolithic EHRs that have proliferated and dominated health IT resources for the last fifteen years. This swing back to best of breed is important because it opens the door for new, highly-targeted and highly-valuable solutions to flourish. Healthcare is letting a thousand digital health flowers bloom. On the flip side, this new model also creates a ton of noise in the industry that champions and decision makers at healthcare enterprises have to wade through.
Don’t get me wrong, there are still bottlenecks to the onramp, most notably data integration and, most frequently, a non-technical problem; but, even integration is becoming a solved problem (FHIR, new APIs, new knowledge transfer, and open source tools to educate and jumpstart integrations, etc). EHR integration is certainly easier to solve than setting up and managing a host of digital health applications on premise.
Beware of the Data Security Risks
But, this type of onramp to the cloud does create a new set of risks for healthcare organizations. The data onramp, in many ways, is more risky than lift and shift. The data being shipped to the cloud is health data and the stewards of that health data are covered entities (mostly health systems and insurance companies). This data isn’t contact information for sales prospects going into Salesforce. Privacy and security are always important but, in healthcare, there is a significant financial risk if you get them wrong.
The risk is compounded as healthcare organizations work with more and more cloud-based digital health solutions, as is now happening in the best of breed model that has emerged. The challenge in healthcare is that HIPAA is loosely defined at best, and loosely audited at worst. So a healthcare organization may work with ten different digital health solutions and all ten of those solutions may be on the same cloud provider, say AWS for this example, but every one of those digital health solutions addresses HIPAA compliance and data security in different ways. This makes it nearly impossible for healthcare organizations to maintain a consistent data governance posture and, maybe more importantly, to understand the their current risk of breach or security incident.
Cloud Cybersecurity Depends on Consistency
Something we often hear from healthcare organizations is that they have a mix of cloud-based solutions that are connected to their EHRs. These solutions can include applications built in house, applications built by development groups contracted by the organization, and SaaS applications developed and supported from 3rd party vendors. Chances are every one of those instances is secured and managed differently. At Datica, we run a fleet of 500+ cloud hosts across multiple data centers, running many different applications and technology stacks. All of those hosts and networks are audited and assessed on an ongoing basis. Trust us when we say that doing cybersecurity in the cloud, consistently and continually, is non-trivial. And it’s our core expertise!
These data risks are mitigated to some extent in the lift and shift model as the cloud is managed and configured in a standard way for technologies migrating to the cloud. But, that’s not the model we have in healthcare for the foreseeable future; lift and shift will happen, but our best guess is that is five to ten years away for even progressive organizations. Ultimately, covered entities will bear the cost of data breaches and it is up to them to find a way to reduce that risk. The onramp to the cloud has already started and is has created new risks. Healthcare organizations need to get ahead of these risks as they continue to test and scale best of breed digital health solutions.