considering the cloud: inside the mind of the healthcare cio · considering the cloud: inside the...
Embed Size (px)
TRANSCRIPT
Considering the Cloud:
Inside the Mind of the
Healthcare CIO
December 15, 2015
2:00 – 3:00 pm ET
1
2
Housekeeping Issues
All participants are muted – To ask a question or make a comment, please submit via the
chat feature and we will address as many as possible after the presentations.
Audio and Visual is through www.readytalk.com. – If you are experiencing technical difficulties accessing audio
through the web, there will be a dial-in phone number displayed for you to call. In addition, if you have any challenges joining the conference or need technical assistance, please contact ReadyTalk Customer Care: 800.843.9166.
Today’s slides will be available for download on our homepage at www.ehidc.org
Overview of eHealth Initiative
• Membership-based, non-profit
• Mission: to promote the use of HIT as a key
component of health system reform.
• Research, advocacy, education: host webinars
and events to:
– Highlight higher-level theory and policy behind the
use of health IT
– Demonstrate on the ground examples of how
organizations are using technology
– Share lessons learned and best practices
4
Multi-Stakeholder Leaders in
Every Sector of Healthcare
5
Considering the Cloud: Inside the
Mind of the Healthcare CIO
Explore the role of the cloud in healthcare
Why use the cloud in healthcare? –
discuss advantages of cloud infrastructure
How to best enable the effective use of
cloud? – governance, security, vendor
relationships, workflow, etc.
What impact has the cloud had on the
enterprise?
6
Agenda
2:00 – 2:05 Welcome & Introductions
2:05 – 2:30 Presentations
– Mitch Parker, Chief Information Security
Officer, Temple University Health System
– Chad Thiemann, Privacy Director, Information
Governance & Privacy Operations, CVS
Health
2:30 – 3:00 Audience Q&A
7
Speakers
Chad Thiemann,
Privacy Director,
Information
Governance & Privacy
Operations, CVS
Health
Mitch Parker, Chief
Information Security
Officer, Temple
University Health
System
Considering the Cloud
Mitchell Parker, CISSP
CISO
Temple Health
Purpose of Presentation
• To show that the cloud is already in use in the healthcare environment, and how we can best manage it
The role of the Cloud
• Healthcare has always been about leveraging shared services to save money– In the first days of computing, Service Bureaus
used to provide time on mainframes for data processing
– Shared Medical Systems’ (now part of Cerner) business model based on it
• This model continues, with multiple vendors offering Electronic Medical and Health Records as shared services
The role of the Cloud (2)
• There are several factors causing CIOs and CFOs to look into the Cloud:– Increased Clinical Initiatives taking up capital pool
money
– Increased operational costs for EMRs, EHRs, and supporting ancillary systems
– Cash flow pressures due to public markets (bond, stock) and need to maintain certain operational income margins
– Increased regulatory requirements (Joint Commission, CMS)
Why use the cloud in healthcare?
• Reduce costs of supporting non-core systems
– Human Resources, Supply Chain, E-mail, File Storage
– Turn capital costs into Operational Costs
• Provide Better Security
– Cloud Providers can provide better support and maintenance as they focus on your systems
– They plan in aggregate and leverage costs
– Better operational monitoring of systems
– Better patching and protecting against vulnerabilities
Why use the cloud in healthcare (2)?
• Reduce costs of supporting core systems– EMRs are expensive
– So are Ancillary Systems
– Scarce resources for large popular implementations
– Hosting the EMR elsewhere allows for predictable costs, maintenance, and upgrades
– It also reduces risk to the core environment by having patients access the third party site instead of the hospital/healthcare environments
HOW TO BEST ENABLE CLOUD USAGE
Governance
– Cloud applications need to fall under the same rules and regulations that on-premise applications do, with no exceptions
– Supply Chain needs to be heavily involved• One of the issues we found was “shadow IT” doing
acquisition and purchasing
• You need to be able to have one set of rules that apply to everyone
– Departments need to be heavily involved• Even if your departments do not have cloud-based
applications, their vendors do
Security
– You need to be very comprehensive in security evaluations
• Standardized Questionnaire
• Standardized Contract Language for HIPAA and Security
– Preliminary Risk Assessments of products before the contract is even signed
– Yearly risk assessments as per the HIPAA Security Rule
– You have every right to ask questions and ask vendors for changes
– Always make sure that moving a core system improves security and supporting processes
Vendor Relationships
– You need to have very tight relationships
• They are your business partners, not your adversaries
– Make sure that contracts spell out everything they need to do
– Make sure that preliminary questionnaires cover major areas of security (hosting, development, ongoing maintenance, upgrades, downtime)
– You need to be upfront and specific about security Service Level Agreements
Disaster Recovery
• As per the Joint Commission Information Management Standards, organizations need:– Downtime Procedures– Disaster Recovery Plans
• While an organization might have been able to get away with not updating this as much in the past, this is different now
• This is now something that needs to be tested at least yearly, if not more
• This is one hidden cost that organizations may not be aware of– Cloud does not obviate your need for DR and Downtime Procedures– Now that your applications aren’t on premise, even if they are
redundant, there is still increased risk of loss of connectivity– You need to be able to function without the Cloud
Workflow
• Cloud Applications need to be evaluated to see how they fit into organizational workflow
• Just going to something because it’s “in the Cloud” doesn’t help you
• You need to be able to make sure that applications work with what you have
Example #1 - Research
• Implemented a new double-blind system for research subject selection
• We were able to verify/validate the entire development and management process with vendor
• We were able to present a solution to executive leadership that was more secure than on-premise
• On-premise would not allow this system to work across institutions
Example #2 – Public Web
• With limited IT resources, they are not considered “core”
• We entered into an arrangement with a third-party hosting firm
• We conducted a risk assessment and interviewed the vendor
• We added specific language on security vulnerability remediation to contracts
• We are in the process of transitioning formerly on-premise web sites to the cloud, which reduces risk to our network
Conclusion
• The Cloud has always been there, and it’s not going anywhere due to multiple factors
• You need to be able to reduce costs, but at the same time, increase service quality
• If you also take Governance, Security, Vendor Relationships, Disaster Recovery, and Workflow into consideration, you will be able to implement what your organization needs
23
Speakers
Chad Thiemann,
Privacy Director,
Information
Governance & Privacy
Operations, CVS
Health
Mitch Parker, Chief
Information Security
Officer, Temple
University Health
System