October 12, 2009

IT in the Sky
By Sandra Nunn, MA, RHIA, CHP
For The Record
Vol. 21 No. 19 P. 20

Cloud computing has become an option for healthcare organizations looking to weather tough financial times.

As a records manager, you may feel quite removed from the frenzy and hype going on in the computer world over cloud computing. That’s unfortunate because, more than anyone else in a healthcare organization, the HIM director or the records manager needs to be well versed in cloud technologies.

The term “cloud” is an old reference to the Internet and how it was often depicted as a cloudlike group of linked technologies. How does the “cloud” work, and why is it so attractive? Currently, the architecture behind cloud computing consists of services delivered through data centers built on servers with different levels of virtualization. One thing that has made cloud computing possible is the arrival of open standards. Now, cloud services can flex and work with any network as long as it abides by known standards. What this boils down to is that organizations can rent computer usage from a company with a developed cloud or a group of technologies that can be customized to their individual needs.

With the economy in shambles and IT departments slashing budgets, the possibilities for cost control inherent in the cloud are attracting close attention from chief information officers (CIOs), including those in healthcare. No longer required to purchase hardware or software, CIOs can absorb monthly rental costs and rely on the cloud company to keep both hardware and software updated. It’s outsourcing in the extreme sense of putting your IT infrastructure somewhere else. According to a report by the Arizona State University W. P. Carey School of Business The size of many cloud service vendors (eg, Google, Amazon) means that CIOs never again have to worry when computer capacity rises dramatically and healthcare organizations no longer have to develop for peak loads and then leave capacity unused most of the rest of the time.

Why Worry?
All of the above sounds too good to be true, doesn’t it? Why would anyone still build their own IT infrastructures when it would be easier and simpler to just rent? There are a number of problems associated with relying on cloud computing.

Just as users discovered when they bought proprietary software applications and then tried to make minor changes to the code to customize the application to their own healthcare environment, costs can suddenly grow. Users soon found that money had to change hands every time even minor changes were envisioned because the vendor had a lock on the code. Vendors offering the varying suites of cloud technologies create the same predicament.

Before signing on the dotted line and giving up a lot of the independence and flexibility that having one’s own IT infrastructure offers, CIOs must carefully consider entering a long-term engagement with a “cloud” vendor or making any technology arrangements that may not be ideally suited to the healthcare organization.

Another financial consideration concerns surrendering a developed internal infrastructure whose costs can be controlled through incremental internal reductions for a locked-in arrangement that may force the organization to keep pace with constant price increases.

A potentially more serious problem is the idea of handing over private data to a third party. This eventuality should provide pause to HIM directors tasked with guarding patient information. Health information housed within an organization’s security framework is protected in a manner that may be different from how an external entity would go about securing it. Of course, per HIPAA, a covered entity such as a healthcare organization can require a business associate’s agreement from a cloud vendor that will be handling patient records or other sensitive information on the provider’s behalf.

When cloud vendors can offer virtually unlimited storage capabilities, the problems IT departments face due to ever-expanding archives of electronic records—especially large EHR files filled with images and other capacity-consuming documents such as wave forms—become a thing of the past. However, HIM directors, as custodians of the legal EHR, must insist on documented measures to mitigate risk before signing off on the storage of records out in the cloud. Some of the basic questions that must be answered before records can be moved out of the organization include the following:

• Who in the vendor organization will have access to the privileged or private information? How will that access be managed and controlled?

• Will the cloud vendor allow the healthcare entity to audit its practices and check its security? Will the cloud vendor have audit trail functionality, and is it willing to share audit trail findings?

• Can the healthcare entity specify a segregated area for the location of its data? Does the provider know the exact location of its information? Will the entity’s sensitive information be stored in one electronic location, or will it be virtualized over multiple locations, some of which may not even be in the country?

• Is data encryption as it is input or output available?

• Does the vendor offer data restoration in the case of a disaster? If so, how long would it take to recover EHRs or other critical records?

• Is there a legal arrangement to transfer protected health information back to the healthcare organization if the cloud vendor goes out of business or is merged with another company?

• Can the vendor retain items such as medical records for decades until they reach their legal expiration dates? Can the vendor guarantee production of these records in the required formats, even years from now? How will copies of records be rendered when they are retained in an external environment?

• Is the cloud vendor willing to offer a service level agreement describing availability, expected response times, back-up schedules, etc? For example, will EHRs be accessible 24 hours per day, or will there be downtimes?

Beyond the Storage Solution
In addition to the enormous electronic storage potential cloud companies offer, there are other potentially appetizing services available or in development that may have implications for healthcare entities. One of the things a well-developed vendor advertises is the leasing or use of computing power for development that may not be available in an HIT department. This computing power is billed like a utility (ie, the healthcare organization is billed for as much or as little of the computing power it has signed up to access). This allows cash-strapped healthcare organizations to flex up and down in the development of applications just as their cash flow changes with different reimbursement models from payers.

The ability to lease computing power has several advantages. New initiatives can be attempted without the concern of sunk costs if the innovation fails to pan out. This allows organizations to be more flexible and dynamic while limiting risk. It is also easier to scale existing IT operations without concerns about fixed costs.

Another advantage extended by the cloud concept is the ability to access the storage and other leased functionalities from virtually anywhere. Employees with nothing more than access to a Web browser and a login can be up and running, capable of working quickly with no investment in installations of at-home functionality. As an HIM professional, this could mean the reduction of expenses associated with fleets of at-home coders and transcriptionists and a drop in the cost of the IT staff assigned to support such employees.

Access to the cloud permits the hiring of remote staff while maintaining complete functionality without any of the issues associated with functioning far from the healthcare organization’s IT core. For an HIM manager, the increased ability of IT to complete customized development at low cost means that he or she can finally get applications, reports, and measurement tools that are not rigid, “out-of-the-box” solutions but instead adhere to departmental and organizational particularities.

Part of the future ability for the cloud to be successful will be a sustained interest in and adherence to national and international standards on the part of vendors. As organizations have become more reluctant to purchase proprietary-based software, vendors have started to offer more standards-based capabilities. As a result, much like consumers can change cell phone vendors and retain the same number, the healthcare entity is not tied to one cloud or another but has the ability to “port” its stored records or developed applications to another vendor with relative ease if both vendors adhere to standards. For HIM directors, the increased interest in standards means that cloud vendors may be able to archive and deliver electronic charts over the course of many years, provided they are engaged in preservation by agreed-upon standards that will deliver documents in a format that will somewhat resemble the original.

Not Quite Yet
For the healthcare industry, the cloud may not yet be an all-out solution. At this point, cloud technology is fledgling and doesn’t always meet organizational needs. It has not yet been reined in by customers concerned about security, performance, or accessibility failures. HIM professionals must caution their organizations against the management or archiving of patient information until such technologies are more secure and mature. The lack of proven security for protected health information will hold back cloud computing for some time, particularly with the new breach notification mandates included in the HITECH portion of the recent economic recovery legislation. Few healthcare entities will put themselves at risk for public humiliation for a breach of patient information emanating from a cloud vendor.

Balanced against this is the rapid growth and retention of patient information for electronic records, including personal health records, that continually puts organizations in the position of running out of space to keep active information available to care providers because so much old information must be maintained. As Liming Liu demonstrates in his slides for “Cloud Computing Revolution — The Third IT Industry Revolution,” cloud computing is ready now for “low-quality use” (eg, use with data that are not mission critical). Only time and more work will make it capable and secure enough for “high-quality use.”

Two other concerns pop up when cloud computing appears in IT discussions on the Internet. The cloud is still not all that reliable, as major vendors such as Amazon have experienced long downtimes. The other nagging problem is the tendency for cloud vendors to focus on one platform over another, making it risky for a provider to purchase services from one vendor because it may be stuck with that vendor’s platform specificity if service issues make the provider want to move on to another option. It is also likely that large healthcare organizations may need to use more than one cloud.

On top of those concerns, the current set-up is not effective for allowing clouds to communicate with one another. Addressing this issue is in the works, but it remains another stumbling block in the path of a more widespread adoption.

Nevertheless, the cloud is here to stay, and it will grow puffier as it overtakes traditional IT infrastructure, once it has solved its own problems. There is just too much information to manage to expect hospital or health plan IT departments to be able to cover it all. It’s a safe bet that organizations will start to put their toes in the water, seeking creative or experimental applications to help boost efficiency and drive down the costs of healthcare.

— Sandra Nunn, MA, RHIA, CHP, is a contributing editor at For The Record and the enterprise content and information manager at Presbyterian Healthcare Services in Albuquerque, N.M.