February 27, 2012
Negotiating Cloud Computing Contracts
By Susan Chapman
For The Record
Vol. 24 No. 4 P. 20
Experts offer advice on what needs to be included when constructing vendor deals.
Over the last several years, more hospitals have turned to cloud computing to access services and resources through the Internet. By taking advantage of the cloud’s secure, off-site data centers, hospitals are often able to expand their data storage capabilities, keep their software applications up-to-date, and back up important information. As healthcare facilities increasingly move toward cloud computing, questions arise as to what important points must be included in vendor contracts to protect hospitals and their valuable data.
Defining Cloud Computing
The definition of cloud computing is broad, often dependent on the specific needs of individual hospitals. “Cloud computing means different things to different people,” says Gary Palgon, vice president of healthcare solutions with Liaison Technologies.
In fact, hospitals can essentially choose from among the following three different levels of access to the cloud:
• Infrastructure as a service (IaaS): Hospitals outsource expensive technology such as software, servers, and storage space. However, they run and install applications on site. With this model, healthcare facilities pay as they use the service, much in the same way that consumers pay a utility company. Such hybrid cloud environments allow for hospitals to adjust with demand. For example, when there is high demand and a need for “cloud bursting,” facilities can leverage the cloud when the capacity is needed and then spin down the services when demand declines.
• Platform as a service: This allows applications to be developed and deployed via the Internet. In this model, specific business functions, including data integration and management, can take place in the cloud.
• Software as a service: In this scenario, cloud computing vendors provide the software and servers, and everything runs in the cloud. Hospitals access software on demand over the Internet.
Some hospitals employ private cloud computing architecture. According to David Linthicum, founder and chief technology officer for Blue Mountain Labs, “Healthcare facilities will sometimes create their own clouds for certain functions, such as treatment and scheduling, using systems the hospitals own. Larger hospital systems make use of a private cloud, which is accessed by known users. It enables them to have control, maintain privacy, and leverage resources.”
Palgon advises that when a facility works with a vendor, “The level of service a hospital requires—be it infrastructure, platform, or software—will affect what it should look for in a contract.”
Lynette Ferrara, partner with CSC Health Informatics Practice, agrees: “IT executives need to know what they’re buying. The levels should be published in the SLA [service-level agreement], with each level having its own set of pricing. It’s important to know what you’re being offered and what you’re taking on.”
Linthicum notes that well-constructed vendor contracts have two important features: performance expectations and their surrounding metrics. For example, knowing how quickly reports can be generated, what to expect in terms of privacy and compliance, and an understanding of who is liable if something goes wrong are all critical to define during negotiations.
“One example, information that is externalized must be protected in the office and in the cloud. Most leaks happen on premise. Hospitals have to be careful with cloud computing, which intermingles data with lots of other information in a virtual space. Hospitals have to understand risks, and vendors have to understand the importance of compliance,” Linthicum says.
Hospitals must be clear about what is important to them, what responsibilities they are willing to assume, and what responsibilities are those of the vendor.
Ferrara says the type of cloud a healthcare facility uses affects the contract. “With a public cloud, there needs to be password-protection access,” she says. “With a private virtual cloud, there is a lot more security you can purchase from a vendor.”
She points to the recent failure in the Amazon cloud as a good illustration of why it’s important to have clear expectations. “When one of three Amazon clouds went down, some businesses couldn’t operate for a week,” Ferrara says. “A lot of businesses had no problem because they had backup in the sections of the Amazon cloud that were still open for business. This was easy and cheap but took planning. If you’re using the cloud, you have to decide for yourself—is it security, privacy, and staying in business that are important to you. Then you have to make sure it’s in your contract the way you want it.”
A hospital must also consider whether it prefers a private cloud, a virtual public cloud with shared infrastructure, or a public cloud.
“If the hospital elects to use an EHR that is part of the software service,” Ferrara says, “then its IT team must look at if it will meet business needs. How will the vendor support reporting services, for instance, for meaningful use and standard reporting?”
In terms of HIPAA compliance, the same standards and compliancy issues exist in the cloud as they would in a healthcare enterprise. Linthicum notes that 99% of security breaches are generally “people issues” and, with cloud computing, there are additional security ramifications as third-party employees gain access to sensitive data.
Security in the cloud works much like it does at the hospital. For example, nurses are granted access to the patient management system but only to the EHR of the patients they serve. If a nurse accesses a different patient’s record, then that action garners an alert. In the cloud, database administrators (DBAs) should have similarly limited data access, a condition that should be addressed in the contract.
Palgon says the contract should stipulate the facility’s ability to audit the security process. “The hospital should be able to ensure that the DBA isn’t running queries he shouldn’t be. A flag should go up if something is amiss. From a contract level, the hospital and vendor must agree to points like drug testing, encryption, who has access to the data, and walking through the process to ensure that level of control is met,” he says.
To guard against data loss, Palgon says a hospital must ask the following questions:
• Where is the information?
• How often is it backed up?
• How is it restored?
“And then they should run through a scenario to restore,” he adds. “I want to know whether or not I have access to backed-up data. I’ll also want to know the transfer time to shift from cloud A to cloud B, ensuring that data is accessible in multiple systems. Can I spin up anytime from anywhere? Where is the master copy; where is the backup?”
While the risk of uploading a virus to the cloud is minimal, it is possible. “It’s the responsibility of the cloud to make sure a virus can’t spread beyond the bounds of virtualized systems,” Palgon says.
The cloud is less vulnerable to viruses than it is to worms, which self-replicate and can spread across the virtual space. “There are safeguards in the cloud to detect these ‘misbehaviors.’ And once a misbehavior is identified in the cloud, a message goes out to correct it,” Linthicum says.
Palgon cites the Amazon outage as an important warning for hospitals to be prepared for potential disasters. Hospitals need to know what will happen when they are not in the cloud and if the vendor will help them when there is an outage.
By utilizing the cloud, hospitals are no longer in full control. Therefore, the vendor must guarantee that data are backed up. At that point, a hospital needs to make a decision to periodically download that data to ensure they’re backed up locally.
“The facility could put real-time data in holding for the short-term then save it to the cloud,” Palgon explains. “There will be issues along the way; the same way that happens internally.”
Linthicum notes that the contract should spell out what recourse a hospital has in the event of an outage. The cloud provider would pay monetary damages, for example, if a hospital could not access the system. “I always tell clients to have a very detailed SLA before signing the contract,” he says.
The good news, says Linthicum, is that in the cloud, the risk of major data loss is reduced because cloud providers are experts at protecting data and generally offer greater security than on-site servers.
However, it’s not just malware and outages that could be problematic for hospitals that rely on the cloud. Healthcare facilities must also have contingencies in place if a vendor goes out of business. All experts agree that this contingency should be part of the SLA. For instance, if a vendor is bought, then the hospital should know who will pay for data migration. Or if the vendor closes its doors, the hospital will want access to its information. Therefore, it should know its access rights as well as its capability to run its own software.
There is also the possibility that a healthcare facility will become dissatisfied with its service. How the contract can be terminated should be clear, as should the process from moving from one vendor to another. It should be known before signing the contract if the vendor will work with the hospital to help it move to another provider should service be unsatisfactory.
It’s currently challenging to move data from one cloud to another without a great deal of effort, says Palgon, adding, “It’s easy to get data into the cloud, but how do you recover it? That’s something that should be decided beforehand.”
One concept that is new to large enterprises is encryption key management, which is an essential part of cloud computing.
“Just like retrieving data from the cloud can be complicated, so is decrypting information. That’s why the management of encryption keys is crucial,” Palgon says. “If they’re lost, all data are lost. The keys must be backed up and managed. More than one key must be used, and they must be rotated to protect who manages the keys. In IaaS, for instance, the hospital has the keys. As we move into more sophisticated levels of service, then the vendor has the keys. This, too, must be spelled out in the contract.”
As hospitals contemplate their increasing reliance on virtual space and look toward the future of cloud computing, they should try to build flexibility into their contracts and include clauses that allow for negotiation when conditions change.
“It’s vital to know what the facility’s objectives are and if the vendor can meet them, not only today, but also in the future,” Ferrara says. “Hospitals should be considering whether vendors can evolve and if they are financially strong enough to adapt as the market changes.”
Palgon concurs: “As technology advances, cloud computing will have to change, and you’ll need to build that into your agreement. These are legal documents. I would advise hospitals to seek out attorneys who specialize in cloud computing to ensure that they are getting everything they need.”
— Susan Chapman is a Los Angeles-based writer and author.