Considering the Cloud: Inside the Mind of the Healthcare CIO December 15, 2015 2:00 3:00 pm ET 1
Housekeeping Issues All participants are muted To ask a question or make a comment, please submit via the chat feature and we will address as many as possible after the presentations. Audio and Visual is through www.readytalk.com. If you are experiencing technical difficulties accessing audio through the web, there will be a dial-in phone number displayed for you to call. In addition, if you have any challenges joining the conference or need technical assistance, please contact ReadyTalk Customer Care: 800.843.9166. Today s slides will be available for download on our homepage at www.ehidc.org 2
Overview of ehealth Initiative Membership-based, non-profit Mission: to promote the use of HIT as a key component of health system reform. Research, advocacy, education: host webinars and events to: Highlight higher-level theory and policy behind the use of health IT Demonstrate on the ground examples of how organizations are using technology Share lessons learned and best practices
Multi-Stakeholder Leaders in Every Sector of Healthcare 4
Considering the Cloud: Inside the Mind of the Healthcare CIO Explore the role of the cloud in healthcare Why use the cloud in healthcare? discuss advantages of cloud infrastructure How to best enable the effective use of cloud? governance, security, vendor relationships, workflow, etc. What impact has the cloud had on the enterprise? 5
Agenda 2:00 2:05 Welcome & Introductions 2:05 2:30 Presentations Mitch Parker, Chief Information Security Officer, Temple University Health System Chad Thiemann, Privacy Director, Information Governance & Privacy Operations, CVS Health 2:30 3:00 Audience Q&A 6
Speakers Mitch Parker, Chief Information Security Officer, Temple University Health System Chad Thiemann, Privacy Director, Information Governance & Privacy Operations, CVS Health 7
Considering the Cloud Mitchell Parker, CISSP CISO Temple Health
Purpose of Presentation To show that the cloud is already in use in the healthcare environment, and how we can best manage it
The role of the Cloud Healthcare has always been about leveraging shared services to save money In the first days of computing, Service Bureaus used to provide time on mainframes for data processing Shared Medical Systems (now part of Cerner) business model based on it This model continues, with multiple vendors offering Electronic Medical and Health Records as shared services
The role of the Cloud (2) There are several factors causing CIOs and CFOs to look into the Cloud: Increased Clinical Initiatives taking up capital pool money Increased operational costs for EMRs, EHRs, and supporting ancillary systems Cash flow pressures due to public markets (bond, stock) and need to maintain certain operational income margins Increased regulatory requirements (Joint Commission, CMS)
Why use the cloud in healthcare? Reduce costs of supporting non-core systems Human Resources, Supply Chain, E-mail, File Storage Turn capital costs into Operational Costs Provide Better Security Cloud Providers can provide better support and maintenance as they focus on your systems They plan in aggregate and leverage costs Better operational monitoring of systems Better patching and protecting against vulnerabilities
Why use the cloud in healthcare (2)? Reduce costs of supporting core systems EMRs are expensive So are Ancillary Systems Scarce resources for large popular implementations Hosting the EMR elsewhere allows for predictable costs, maintenance, and upgrades It also reduces risk to the core environment by having patients access the third party site instead of the hospital/healthcare environments
HOW TO BEST ENABLE CLOUD USAGE
Governance Cloud applications need to fall under the same rules and regulations that on-premise applications do, with no exceptions Supply Chain needs to be heavily involved One of the issues we found was shadow IT doing acquisition and purchasing You need to be able to have one set of rules that apply to everyone Departments need to be heavily involved Even if your departments do not have cloud-based applications, their vendors do
Security You need to be very comprehensive in security evaluations Standardized Questionnaire Standardized Contract Language for HIPAA and Security Preliminary Risk Assessments of products before the contract is even signed Yearly risk assessments as per the HIPAA Security Rule You have every right to ask questions and ask vendors for changes Always make sure that moving a core system improves security and supporting processes
Vendor Relationships You need to have very tight relationships They are your business partners, not your adversaries Make sure that contracts spell out everything they need to do Make sure that preliminary questionnaires cover major areas of security (hosting, development, ongoing maintenance, upgrades, downtime) You need to be upfront and specific about security Service Level Agreements
Disaster Recovery As per the Joint Commission Information Management Standards, organizations need: Downtime Procedures Disaster Recovery Plans While an organization might have been able to get away with not updating this as much in the past, this is different now This is now something that needs to be tested at least yearly, if not more This is one hidden cost that organizations may not be aware of Cloud does not obviate your need for DR and Downtime Procedures Now that your applications aren t on premise, even if they are redundant, there is still increased risk of loss of connectivity You need to be able to function without the Cloud
Workflow Cloud Applications need to be evaluated to see how they fit into organizational workflow Just going to something because it s in the Cloud doesn t help you You need to be able to make sure that applications work with what you have
Example #1 - Research Implemented a new double-blind system for research subject selection We were able to verify/validate the entire development and management process with vendor We were able to present a solution to executive leadership that was more secure than on-premise On-premise would not allow this system to work across institutions
Example #2 Public Web With limited IT resources, they are not considered core We entered into an arrangement with a thirdparty hosting firm We conducted a risk assessment and interviewed the vendor We added specific language on security vulnerability remediation to contracts We are in the process of transitioning formerly on-premise web sites to the cloud, which reduces risk to our network
Conclusion The Cloud has always been there, and it s not going anywhere due to multiple factors You need to be able to reduce costs, but at the same time, increase service quality If you also take Governance, Security, Vendor Relationships, Disaster Recovery, and Workflow into consideration, you will be able to implement what your organization needs
Speakers Mitch Parker, Chief Information Security Officer, Temple University Health System Chad Thiemann, Privacy Director, Information Governance & Privacy Operations, CVS Health 23