considering the cloud: inside the mind of the healthcare cio · pdf file considering the...

Click here to load reader

Post on 29-May-2020




0 download

Embed Size (px)


  • Considering the Cloud:

    Inside the Mind of the

    Healthcare CIO

    December 15, 2015

    2:00 – 3:00 pm ET


  • 2

    Housekeeping Issues

     All participants are muted – To ask a question or make a comment, please submit via the

    chat feature and we will address as many as possible after the presentations.

     Audio and Visual is through – If you are experiencing technical difficulties accessing audio

    through the web, there will be a dial-in phone number displayed for you to call. In addition, if you have any challenges joining the conference or need technical assistance, please contact ReadyTalk Customer Care: 800.843.9166.

     Today’s slides will be available for download on our homepage at

  • Overview of eHealth Initiative

    • Membership-based, non-profit

    • Mission: to promote the use of HIT as a key

    component of health system reform.

    • Research, advocacy, education: host webinars

    and events to:

    – Highlight higher-level theory and policy behind the

    use of health IT

    – Demonstrate on the ground examples of how

    organizations are using technology

    – Share lessons learned and best practices

  • 4

    Multi-Stakeholder Leaders in

    Every Sector of Healthcare

  • 5

    Considering the Cloud: Inside the

    Mind of the Healthcare CIO

     Explore the role of the cloud in healthcare

     Why use the cloud in healthcare? –

    discuss advantages of cloud infrastructure

     How to best enable the effective use of

    cloud? – governance, security, vendor

    relationships, workflow, etc.

     What impact has the cloud had on the


  • 6


     2:00 – 2:05 Welcome & Introductions

     2:05 – 2:30 Presentations

    – Mitch Parker, Chief Information Security

    Officer, Temple University Health System

    – Chad Thiemann, Privacy Director, Information

    Governance & Privacy Operations, CVS


     2:30 – 3:00 Audience Q&A

  • 7


    Chad Thiemann,

    Privacy Director,


    Governance & Privacy

    Operations, CVS


    Mitch Parker, Chief

    Information Security

    Officer, Temple

    University Health


  • Considering the Cloud

    Mitchell Parker, CISSP


    Temple Health

  • Purpose of Presentation

    • To show that the cloud is already in use in the healthcare environment, and how we can best manage it

  • The role of the Cloud

    • Healthcare has always been about leveraging shared services to save money – In the first days of computing, Service Bureaus

    used to provide time on mainframes for data processing

    – Shared Medical Systems’ (now part of Cerner) business model based on it

    • This model continues, with multiple vendors offering Electronic Medical and Health Records as shared services

  • The role of the Cloud (2)

    • There are several factors causing CIOs and CFOs to look into the Cloud: – Increased Clinical Initiatives taking up capital pool


    – Increased operational costs for EMRs, EHRs, and supporting ancillary systems

    – Cash flow pressures due to public markets (bond, stock) and need to maintain certain operational income margins

    – Increased regulatory requirements (Joint Commission, CMS)

  • Why use the cloud in healthcare?

    • Reduce costs of supporting non-core systems

    – Human Resources, Supply Chain, E-mail, File Storage

    – Turn capital costs into Operational Costs

    • Provide Better Security

    – Cloud Providers can provide better support and maintenance as they focus on your systems

    – They plan in aggregate and leverage costs

    – Better operational monitoring of systems

    – Better patching and protecting against vulnerabilities

  • Why use the cloud in healthcare (2)?

    • Reduce costs of supporting core systems – EMRs are expensive

    – So are Ancillary Systems

    – Scarce resources for large popular implementations

    – Hosting the EMR elsewhere allows for predictable costs, maintenance, and upgrades

    – It also reduces risk to the core environment by having patients access the third party site instead of the hospital/healthcare environments


  • Governance

    – Cloud applications need to fall under the same rules and regulations that on-premise applications do, with no exceptions

    – Supply Chain needs to be heavily involved • One of the issues we found was “shadow IT” doing

    acquisition and purchasing

    • You need to be able to have one set of rules that apply to everyone

    – Departments need to be heavily involved • Even if your departments do not have cloud-based

    applications, their vendors do

  • Security

    – You need to be very comprehensive in security evaluations

    • Standardized Questionnaire

    • Standardized Contract Language for HIPAA and Security

    – Preliminary Risk Assessments of products before the contract is even signed

    – Yearly risk assessments as per the HIPAA Security Rule

    – You have every right to ask questions and ask vendors for changes

    – Always make sure that moving a core system improves security and supporting processes

  • Vendor Relationships

    – You need to have very tight relationships

    • They are your business partners, not your adversaries

    – Make sure that contracts spell out everything they need to do

    – Make sure that preliminary questionnaires cover major areas of security (hosting, development, ongoing maintenance, upgrades, downtime)

    – You need to be upfront and specific about security Service Level Agreements

  • Disaster Recovery

    • As per the Joint Commission Information Management Standards, organizations need: – Downtime Procedures – Disaster Recovery Plans

    • While an organization might have been able to get away with not updating this as much in the past, this is different now

    • This is now something that needs to be tested at least yearly, if not more

    • This is one hidden cost that organizations may not be aware of – Cloud does not obviate your need for DR and Downtime Procedures – Now that your applications aren’t on premise, even if they are

    redundant, there is still increased risk of loss of connectivity – You need to be able to function without the Cloud

  • Workflow

    • Cloud Applications need to be evaluated to see how they fit into organizational workflow

    • Just going to something because it’s “in the Cloud” doesn’t help you

    • You need to be able to make sure that applications work with what you have

  • Example #1 - Research

    • Implemented a new double-blind system for research subject selection

    • We were able to verify/validate the entire development and management process with vendor

    • We were able to present a solution to executive leadership that was more secure than on-premise

    • On-premise would not allow this system to work across institutions

  • Example #2 – Public Web

    • With limited IT resources, they are not considered “core”

    • We entered into an arrangement with a third- party hosting firm

    • We conducted a risk assessment and interviewed the vendor

    • We added specific language on security vulnerability remediation to contracts

    • We are in the process of transitioning formerly on-premise web sites to the cloud, which reduces risk to our network

  • Conclusion

    • The Cloud has always been there, and it’s not going anywhere due to multiple factors

    • You need to be able to reduce costs, but at the same time, increase service quality

    • If you also take Governance, Security, Vendor Relationships, Disaster Recovery, and Workflow into consideration, you will be able to implement what your organization needs

  • 23


    Chad Thiemann,

    Privacy Director,


    Governance & Privacy

    Operations, CVS


    Mitch Parker, Chief

    Information Security

    Officer, Temple

    University Health