Cloud Computing

Cloud Computing and Medicine Michael J. Nowak MED_INF_407-DL 55 Sunday, December 9th, 2012 Prof. Karin J Lindgren

2 Cloud Computing
ABSTRACT

The passage of the HITECH act produced a flurry of activity in the health information field. The result was the move to a complete electronic record (EMR). This explosion of data stressed the existing server capacity of health care operations. The move to virtual server solutions has helped alleviate some of the stress by balancing the load across multiple servers. A new technology called cloud computing moves the virtual server from the confines of the organization to an outside venue. This service provides the server storage required to meet the future needs of the EMR. At the same time it reduces the cost to organizations because they do not need to purchase additional server capacity. There are concerns from a legal perspective relative to protection of patient information. The fact that the information leaves the confines of the organization suggests issues concerning the control and possible breach of the data. This paper examines cloud technology from both an operational and legal perspective.

3 Cloud Computing
Table of Contents

Introduction.4 Health Information Exchange..5 What is cloud computing.....................................................................................7 Cloud versus internet...9 Risk of cloud computing...9 Scenario 1....10 Scenario 2.10 Scenario 3.11 Scenario 4.11 Discussion.13 Recommendations..14 Conclusion15 References...17

4 Cloud Computing
Introduction Computers gained popularity in healthcare in the 1960s when large mainframe computers were used to process hospital claims. These computers were housed offsite and were owned by third parties. Computer processing time was rented to the hospital and data was sent to the computers over leased telephone lines or on large reels of magnetic tape. Hospitals had set times when the data was processed in batches. Security risks where at a minimum. Patient privacy was not a priority and HIPAA was not yet initiated. The primary concern of IT managers at the time was maintaining the integrity of the magnetic tapes. Technology advanced to the point where computers came down in both price and size. These advancements allowed computers to be moved from 3rd party locations to inside the hospitals physical plant. The computers where still very large and special rooms had to be built to meet both power demands and temperature requirements. Hospitals spent a considerable amount of money in establishing these new computer centers. Since the computers were located at the hospital all hospital data was now located in-house. The primary focus of IT security was still focused on data storage and on maintaining the integrity of the data. Hospitals followed this scenario for many years. Computers became both smaller and faster. Computer data storage from tape to physical storage on computer hard drives. Software developers produced a wealth of new programs. Hospital IT was advancing at a rapid pace. All data was still being kept within the confines of the hospital. Since data was not exposed to the outside world security was not a major issue. This all changed with the beginning of the internet. Hospital data that was once protected by the walls of the hospital was now exposed to the outside world. The internet exposed data in two ways. In the first way data moved outside the hospital for the first time since the 1960s. Once outside the hospital the data became susceptible to a number of threats. Email was the first system that exposed hospital data. An email that was sent to a designated person could then be forwarded on to others. Since the email was being sent through public telephone wires the email was exposed to anyone who had the means and intensions to intercept the email. Applications were developed so that hospitals could send data to other locations and entities such as insurance companies and government agencies (Medicare & Medicaid). The internet exposed hospital information in a second way. Since the hospitals information system had to communicate with the outside world the systems became vulnerable to individuals

5 Cloud Computing
attempting to gain entry directly into the hospitals information system. A new term called computer hacker was coined for individuals who attempted to gain access to information by hacking into the computer system. Other terms such as malware and computer virus became part of our vocabulary. This brought major security challenges to the information technology industry. They responded with antivirus programs and computer firewalls. These challenges continue on today.

Health Information Exchange A major driving force in healthcare today is the exchange of health care information. According to Hripcsak etal, Health Information Exchange (HIE) are being implemented across the nation with the hope that the projects would improve both the quality and efficiency of care. A major impetus to the implementation of these projects was the Health Information Technology for Economic and Clinical Health Act (HITECH) as well as meaningful use. The act resulted into billions of dollars becoming available for healthcare information projects (Kuperman, 2012). A major focus of these projects is the development of the electronic medical record (EMR). The EMR would serve as the basis for collection and storage of all health care information for a given patient. Historically, many health care providers operated independently. There was not a connection between your primary physician and the physician with specialized practices such as dermatology and orthopedics. When you fell and hurt your ankle you were treated by your primary physician. If the doctor suspected something more serious they referred you to a specialist. In this case the specialist would be an orthopedic surgeon. The doctor would provide a list of orthopedic surgeons for you to choose one. The steering of patients to one orthopedic surgeon would be considered unethical and possibly illegal if the doctor was receiving kickbacks for the patient referrals. Under this scenario there was little risk for disclosure of patient information. The landscape changed when insurance companies began to pool doctors into networks and controlled the referral process. Doctors provided information to the insurance companies. The data flow was in one direction which was to the insurance companies. The insurance companies did not share that information back with the providers involved. Since the data flow was one directional there was little risk for the disclosure of patient information. While there were efforts to improve

6 Cloud Computing
the quality of care the data was used primarily for paying claims and looking at utilization of services. Therefore, there was little impact on quality of care. Hospitals began to buy up physician practices and systems began buying hospitals. The result was that doctors became part of large practice groups. Information on patients was now shared among the providers and hospitals. The boom in the availability of patient information caused a logistic nightmare. The paper chart had to be physically moved between the providers. Consider a hospital system with 5 hospitals, three clinics and 500 physicians across a broad spectrum of specialties. A patient being treated for a complex illness may need to see several specialists, obtain lab tests and xrays. The patient now presents in the Emergency Department. Where is the chart? The major obstacle in the way of HIE projects is the paper chart. The move to a EMR would make the paper chart go away. However, the EMR would still be contained within the hospital system. Since the chart was now shared among a number of providers, and support personnel the risk of a disclosure of patient information increased dramatically. Complicating this issue is there would be no way to determine who compromised the patient data. The idea behind HIE is that many people can benefit from the exchange of healthcare information. The benefits fall into two major categories, business operations and clinical care. Business operations include data exchanges with insurance companies, government agencies (Medicare & Medicaid) and regulatory agencies. Clinical care information involves patient care across a wide spectrum of providers. HIE practices would allow patients to seek medical care across a county, state or country where the doctor would have immediate access to the patients medical record. This would be a major improvement for patient care. A key to obtaining many of these goals is access to clinical data which is spread across a broad spectrum of health care providers. In most cases these providers are not connected. The data also sits in a number of different software applications and the data is stored in a number of different data formats. The further you go from the original organization the more challenges there are in exchanging data. The exchange of the data is called interoperability. In order for the data to be exchanged data standards need to be agreed upon and data interfaces need to be developed. Once these standards and interfaces are

7 Cloud Computing
implemented the data still needs to be shared and accessed. One potential method which is gaining popularity is cloud computing.

What is cloud computing? The internet revolutionized computing and cloud computing represents the next generation of information technology. When you hear the words cloud computing it conjures up images of data being sent to some obscure place in space. It is often confused with the internet. In reality, it is very different. The National Institute of Standards and Technology NIST, is a division of the U.S. Department of Commerce and provides expertise in technology. NIST defines cloud computing as Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Mell, 2010). NIST further defines five essential characteristics of cloud computing. These characteristics are On-demand self-service An individual can access the server without interacting with a person. Broad network access The network can be accessed by low level devices (mobile phones and thin clients. Resource pooling The user has no idea what servers are being used and which locations. Rapid elasticity The system can expand and contract to meet the scalability and resource demands of the situation Measured service System usage can be controlled and reported in a transparent way so that the consumer can monitor their usage. The NIST also defines three types of service models. They are Software as a Service (Saas) In this case the consumer uses the software that is supplied by the cloud provider Platform as a Service (PasS) This service allows the consumer to use programs written on software provided by the cloud provider on the cloud infrastructure. Infrastructure as a Servcice (IaaS) In this case the consumer can deploy their own software on the cloud.

8 Cloud Computing
Finally, the NIST identifies four deployment models. The deployment models are: Private cloud In a private cloud the infrastructure is provisioned for exclusively for its members. The cloud may be located on or off site. Community cloud The cloud infrastructure is provisioned for exclusive use by members of a community that has a shared interest. Public cloud The cloud is open to the public and may be owned by an academic institution or business group. The cloud resides at the hosting business. Hybrid cloud In this type of deployment there are multiple cloud infrastructures that are separate but can share technology so that the load on the cloud can be balanced. The primary goal of NIST when publishing these guidelines was to provide a basis for cloud implementations. The key to the success of cloud technology is that it can offer resources on demand. These services are can be purchased as they are needed thereby reducing the cost of applications and storage. According to Mork (2011) Compared with conventional computing, this model (cloud) provides three new advantages: massive computing resources available on demand, elimination of an up-front commitment by users, and payment for use on a short-term basis as needed. Cloud computing can be used for many applications. The following example illustrates the capacity for cloud computing to make a real impact in an area of health care. A concern at many major hospitals that serve as referral centers is the over exposure of radiation. This occurs when patients are transferred from other hospitals. The patients radiological images such as CAT Scans are copied onto CDs and sent along with the patient. When the patient arrives the disc is put into a computer and the image is read. In many cases, the image cannot be read by the receiving hospital or the image is for the wrong person. In the case of emergencies the hospital has no choice but to repeat the scan. This exposes the patient to both unnecessary exposure to additional radiation and the additional cost associated with the new scans. Companies such as LifeImage, have implemented a cloud solution which will eliminate these duplicate scans. The referring hospital will upload the image to the cloud server. The receiving hospital can review the scan and if they want can download it to the the hospitals PACS system. There are a number of PHI issues in this process. The process eliminates the risk of patient information in

9 Cloud Computing
the form of the CD getting lost or misplaced. Also what does the hospital do with the CDs. They cannot be placed in a paper chart nor can they be placed into the EMR. They will need to be destroyed. In this case cloud computing would eliminate these risks and improve patient safety. Healthcare organizations see a number of applications where the cloud can make a difference. Proponents in biomedical computing feel that the cloud can provide a platform for data sharing among researchers (Rosenthal et al., 2010). They do go on to say the technology must be thoroughly tested.

Cloud versus Internet There is a misconception that the cloud and the internet are the same. This is not the case. The cloud exists as virtual private networks (VPN) which controls access. In contrast, the internet uses an open highway across the world routing network traffic though arbitrary servers. The consumer cannot select the route that the data takes on the internet. In contrast, the data takes a very specific route determined by the cloud infrastructure. In many ways traffic on the cloud is much safer. However, there is still a great deal to learn about the vulnerabilities of cloud computing.

Risks of Cloud Computing Cloud computing presents many risks. These risks can be both operational and legal. The operational risks involve the storage and accessing information stored at an offsite location. The legal risks involve the exposure to patient information. These risks are often intertwined. In order for the health information to get to and from the cloud storage site in must physically pass through a number of wires, switches, routers and servers. Throughout this process the data can be exposed to potential risk. In addition, the hardware can be owned by dozens of different companies. This section will explore cloud computing and try to determine areas that may present risk. This will be accomplished by examining different scenarios and what risks may be present. ABC hospital system is a hypothetical hospital system located in Ohio. It consists of 15 hospitals, 10 health clinics with 1,000 providers. The system also has hospitals in several states and three foreign companies.The hospital was concerned with data access and storage. They were concerned about the escalating cost of owning and maintaining physical servers. They contracted with White Cloud Computing

10 Cloud Computing
a newly formed cloud solution company. White Cloud Computing would provide an access a storage solution for a monthly rental fee. White Cloud Computing is located in Cleveland Ohio and has set up a server farm located in an old industrial warehouse. Electricity is provided by First Energy. White Cloud has also entered into an agreement with Catch the Crook for their data security. They have also entered into contracts with several phone and internet companies to provide data transmission services. These companies are located in four countries. Lets examine several different scenarios that can impact data security and patient confidentiality. Scenario1: A famous sports figure is admitted to an ABC hospital for an undisclosed medical condition. It is presumed that information was leaked to the press by an operator at the White Cloud storage farm. The hospital is facing major litigation. How could the hospital reduce their exposure to this type of action? Perform due diligence and identify all parties that are involved in the cloud process. This includes all subcontractors. Make sure that the contract with White Cloud includes all the appropriate Business Associate (BA) agreements for subcontractors. Make sure that the data is encrypted at all levels. Proper encryption could have prevented the disclosure. All data processing should have an electronic audit function which tracks everyone who accesses the information and is date and time stamped. This scenario represents the problems associated when your data leaves your control. This is at the heart of the issue of cloud computing and it illustrates why these points are important. In this case, proper data encryption may have prevented the disclosure. The other points may limit the hospitals exposure.

Scenario 2: In this scenario White Cloud computing fails to pay its bill to Catch the Crook data security. Data security has now been turned off exposing all ABCs patient data. ABC hospital system is unaware of the problem. It is difficult know what happens at other companies that are beyond your control.

11 Cloud Computing
ABC can set it up that they will receive notice in the event that White Cloud does not pay their bill to Catch the Crook data security. It is very important organizations keep on top of their data security. The organization can place put these notifications in place when negotiating the contract.

Scenario 3: A major storm hits Cleveland with high winds and torrential rain. The roof begins to leak onto some old wiring. This causes an explosion and fire in a transformer. The power goes out. The emergency power generator kicks in and the system starts functioning again. This last for 5 minutes and the emergency generator stops working. The system is now dead. The hospital has lost its link to all historical patient information. An assessment of the warehouse shows considerable damage from water and from smoke from the transformer fire. It is not known how much data has been lost an/or how long the system will be down. It would have been wise for the ABC hospital system to inspect where the data was being housed as part of their due diligence prior to signing the contract. An inspection of the site would have revealed an old building with roof and wiring deficiencies. The hospitals lost their access to patient data. Selecting a cloud provider that placed mirrored data in another location would have mitigated the immediate loss of information and would have provided a backup against loss of historical information. This scenario again illustrates the concern of cloud computing in that you do not have direct control of your data. It also highlights the importance of due diligence when moving to the cloud.

Scenario 4: ABC hospital system has undergone a transition within their Information technology services division. In the process of the transition, the payment to White Cloud was not made. The contract went into default and White Cloud stopped access to the cloud. The hospital system could no longer access their patients information.

12 Cloud Computing
The hospital has lost access to patient data. Depending on the amount of time it takes to restore access it may impact patient care. The organization should make sure that there are notification policies built into the contract so that multiple people are contacted. This scenario illustrates the loss of control of your data when using the cloud.

It is important that organizations need to know what to do if they choose to use cloud technology. The cloud provider needs to be vetted thoroughly and contingencies plan must be developed to handle the scenarios listed above. In particular, scenarios which impact access and distribution of PHI The computer industry is undergoing a computer technology explosion. According to Grossman & White (2012) The power of computer processors doubles in less than 18 months, as the capacity of computer storage discs. Organizations are now producing huge cache of data and have been exploring many of the new technologies in order to store and process it. The traditional way of storing data is in servers with each server designated for a specific use. In hospitals there may servers dedicated, to email, accounting and the EMR. Adding servers in this way has become expensive. An innovation called virtual server allowed these processes to be shared amongst the organizations servers resulting in a reduced need for new additional physical servers. This innovation also led to virtual desktop solutions. Virtual servers were the precursor to cloud technology. Cloud computing is taking the virtual server to the next step. It is estimated that 28% of the organizations use the cloud in some capacity (Muntz, 2011). Cloud computing is gaining an increasing segment of the health care market. Many of the organizations that have incorporated some version of cloud technology have experienced some savings. Kunick (2011) goes on further to state that According to the CDW survey, 88% of health care organizations that are cloud users have reduced the cost of software applications by moving them into the cloud, with an average annual savings of 20 percent. He also suggests that while traditional IT is based on a traditional licensed software platform the move to cloud computing transitioning to cloud-based solutions raises new commercial and legal issues that should be carefully considered before making the move to this undiscovered country.

13 Cloud Computing
Discussion Cloud computing is a new technology that is making major inroads in into health care. The technology provides a cost effective solution to information sharing and meets the needs of the HITECH act such as Health Information Exchanges. It provides a way to access the HIE from many different locations and through a wide range of devices. Gravely & Whaley (2009) state that The privacy and security of health data is of paramount concern to participants in any health data exchange arrangement, including a network of HIEs. Therefore, it is important to maintain the privacy in any HIE. The technology can have a positive impact on patient care. However, cloud computing has a number of detractors. The major concern is patient confidentiality. Hospitals are still responsible for their data. Attorney Roy Hadley predicts that as hospitals move to the cloud, security beaches will become more prevalent Security lapses could collectively cost billions every year (Page, (2011). Another concern of the cloud is how do you maintain confidentiality across all providers?

Cloud computing is making a serious inroad into health care. There are a number items that should be discussed before prior to a move to the cloud. The following is a list of pros and cons for cloud computing. Pros and Cons of Cloud Computing Pros The major driving force behind cloud computing is savings. With cloud computing there is no longer the need to buy and service additional server capacity. This results in a significant saving in capital investment Cloud computing has a known fixed cost which can be easily budgeted Cloud computing is scalable. As the organizations data requirements increase the cloud can expand to meet this need without the organization purchasing additional servers. The cloud provides for distributed data The cloud presents unprecedented access to patient information. Information can be accessed from any location and at any time. Data can also be accessed from mobile devices such as tablets and smart phones.

14 Cloud Computing
Cloud computing provides resources on demand, pay per use, large data farms, and economies of scale (Rosenthal et al., 2010)

Cons Who has access to data Security Compliance Lack of control Unintended consequences

This list is not exhaustive but meant to highlight some of the issues relevant to cloud computing. With any technology there are ways to limit exposure through a breach of security. There needs to be policies and procedures in place that monitor systems. Reporting mechanisms should be in place to quantify when events occur. Risk assessments should be conducted periodically to identify potential risks (Blass & Miller, 2010). All staff should be trained to identify security risks. Once risks are identified policies and procedures can be put in place to mitigate these risks.

Recommendation One idea is to develop more than one cloud to meet the needs of healthcare. As mentioned earlier there is more than one type of cloud. Two types that were mentioned are a private cloud and a public cloud. One scenario could be a private medical cloud. Fuss (2011) states that In a private cloud setting, security is under his control All data in transit is encrypted; all data is point to point; all data is within the network structure. At no point is it leaving the network going someplace else and coming back in. This cloud can be limited to use by one organization. This would insure that PHI is not compromised. The cloud can be expanded to include other organizations that join a health care data sharing consortium. This consortium would have strong PHI protection agreements in place. Chen, Lu, & Jan, (2012) suggest developing a combination private and public cloud. Hospitals patient medical information such as lab results, medications etc. can be stored in both the hospitals private cloud and public health care cloud provider. They go on to suggest that Within this kind of cloud

15 Cloud Computing
environment, the cross hospital access is an important issue between the request-hospital and the ownerhospital. Schweitzer (2012), suggests using a SAAS or PAAS provider which would have to implement HIPAA requirements in a business associate contract. He goes on to say that the HIPAA specified controls listed above (SAAS or PAAS) can be directly transferred from a traditional in-house system to an outside provider of simple HER hosting or of cloud architecture services.

Conclusion With the passage of the HITECH act and the implementation of meaningful use there has been an explosion information technology projects. Most of these projects have centered on the electronic medical record (EMR). This increased need for information processing has placed a tremendous load on the current information technology infrastructure. There has been an increase need for data processing and storage. A number of new solutions have been developed. One of these new solutions is cloud technology. Cloud technology provides a cost effective solution that can meet our future healthcare computing needs. Since the technology is new, organizations should remain cautious as they explore this new technology. The major concern with cloud computing is that it moves patient information from within the organization to a site or sites physically located away for the organizations facilities. When data is moved away from the facility the facility loses control of the data. It is the lack of control that trouble health care administrators. Therefore, when selecting a cloud provider care must be taken through rigorous evaluation of the cloud service providers. Particular attention should be applied to the protection of patient information. In addition, when organizations are considering a move to cloud technology they should start small and conduct due diligence in respect to all companies that will come in contact with the data. Finally, based on my review of the available literature it would make the most sense to stay with the private network. There is pressure to move more towards a public network for health information exchanges but the private network limits the exposure of PHI and would reduce the risk of a security breach. This private network can be offered to other similar health care organizations in a limited roll out to develop a medical cloud. With the advent of HIEs a combination of both a private a public medical

16 Cloud Computing
combination cloud would be required. The private medical cloud would house the patients EMR and the public medical cloud would house a limited data set. This would reduce an exposure of protected patient information.

17 Cloud Computing
References

Blass, G. & Miller, A. (2010). Protection Detail: Protecting Against Breach of Electronic Protected Health information. JHIM, 24 (3), 7-8. Chen, Y. Y., Lu, J. C., & Jan, J. K. (2012). A secure EHR system based on hybrid clouds. J Med Syst, 36(5), 3375-3384. doi: 10.1007/s10916-012-9830-6 Gravely, S & Whaley, E. (20090. The Next Step in Health Data Exchanges: Trust and Privacy in Exchange Networks. JHIM, 23(2), 33-37. Grossman, R. L., & White, K. P. (2012). A vision for a biomedical cloud. J Intern Med, 271(2), 122-130. doi: 10.1111/j.1365-2796.2011.02491.x Kuo, A. M. (2011). Opportunities and challenges of cloud computing to improve health care services. J Med Internet Res, 13(3), e67. doi: 10.2196/jmir.1867 Hripcsak, G., Grance, T. 2010. The NIST definition of cloud computing. Commun ACM. 53(6):50 Kuperman, G. (2012). Health-information exchange: why are we doing it, and what we are doing? J Am Med Inform Assoc, 18,678-682 Kunick, J. (2011). Health Care in the Cloud. HealthData Management. http://www.healthdatamanagement.com/issues/19_8. Mell, P. & Grance, T. (2011). The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology, National Institute of Standards and Technology Special Publication 800-145. Mork, P., Kimura, E., Reynolds, C., & Lai, F. (2011). Opportunities and Challenges of Cloud Computing to Improve Health Care Services. J Med Internet Res, Jul-Sep; 13(3): E67 Perna, G. (2012). A hazy outlook for cloud computing. Healthc Inform, 29(1), 14, 16, 18 passim. Rosenthal, A., Mork, P., Li, M. H., Stanford, J., Koester, D., & Reynolds, P. (2010). Cloud computing: a new business paradigm for biomedical information sharing. J Biomed Inform, 43(2), 342-353. doi: 10.1016/j.jbi.2009.08.014 Schweitzer, E. J. (2012). Reconciliation of the cloud computing model with US federal electronic health record regulations. J Am Med Inform Assoc, 19(2), 161-165. doi: 10.1136/amiajnl-2011-000162