Tumult in the Clouds

April 29, 2010
by Brendon Nafziger, DOTmed News Associate Editor
This report originally appeared in the March 2010 issue of DOTmed Business News

Looking back at the life and times of the business-speak buzzword "solution," language observers can pinpoint the exact moment when the wheels came off. They will say it was in the mid-2000s when FedEx-Kinko's first started calling the adhesives used for putting up frames "wall-hanging solutions." If a kind of sticker is a solution, then everything's a solution.

But business abhors a vacuum of buzzwords. The latest buzzwords (or term) to come around, at least in health care IT, is cloud computing. Unlike the unwieldy and largely meaningless "solution," this refers to something if not new, at least newly realizable, with some fairly real benefits to offer as well, especially for health care centers.




Though it has almost as many definitions as there are people who talk about it, a "cloud" in this sense, is usually a model where you access service or storage through the Internet or some other network without actually owning or maintaining the hardware housing the data. (Gmail, for example, is a cloud "solution.")

For hospitals, one of cloud computing's most promising areas is in data storage, where some predict it could revolutionize the whole storage business, leading to streamlined costs and slimmed down IT departments.

"I think the cloud is a tectonic shift in the way people access computing services and it will change the way we live in a big way," says Moe Kermani, CEO of Bycast, a Vancouver, B.C.-based company that develops cloud storage-enabling software.

That said, despite the buzz, cloud storage comes with some serious privacy and security risks, which threaten to slow, or even halt, widespread adoption. As with many new modalities, this one brings with it dangers that have to be overcome before it can be part of the mainstream.

Need for space

First, cloud is especially exciting because the resource needs of doctors, especially radiologists, are growing fast. According to a recent IBM-sponsored case study, five years of PACS images at a busy health center could rack up almost 20 terabytes of stored data (one terabyte equals one trillion bytes). It's no surprise when you consider a typical 32-slice CT scan takes up around 200 megabytes (a megabyte equals a little over one million bytes) and a digital mammography file can eat up a whopping 500 megabytes.




For a health care center, the most annoying part is that these massive image archives are largely fallow. "Ninety-five percent of the access [to archived data] will take place in the first three years, after that access patterns drop," Kermani tells DOTmed News. According to other estimates, cessation of use is even faster: after 90 days, most radiological images aren't pulled again.

Still, just because they're ignored doesn't mean they can be destroyed. Because of HIPAA regulations, the images have to be shelved for a specified amount of time - typically, around seven years. But this medium-to-long-term storage brings with it demands of maintenance, security and back-ups, and the associated expense and manpower needed to ensure the data is safe.

This is where cloud computing could truly shine. In effect, it's about outsourcing those responsibilities to outside professionals in the same way you outsource natural gas delivery to National Grid.

The utility model

"The premise of cloud computing is gaining access to computational resources...in a manner that is analogous to how people consume utilities like electricity, water and telephone systems," Kermani says.

"It all comes down to economics. If I could use storage as a utility, I don't have to own it. I don't have to back it up," Kermani says. "I don't have my own generator in my backyard making power, why do I need my own data center?"

Or as Ryan Howard, CEO of Practice Fusion, a free cloud-based electronic medical record service out of San Francisco, Calif., puts it, "When you need water, you don't build your own water pipe to the lake. When you need electricity you don't build your own power grid. Cloud computing is the same concept."

According to Kermani, while the term - and the buzz - is new, the idea isn't. It goes back to at least the 1960s, with the creation of Multics, an early operating system-cum-computer developed by professors at MIT, who wanted to build a system where individual users would share the computing resources of a common infrastructure. They called it timesharing. In the 1990s, it emerged again as application service providers, and by the beginning of this millennium, it was going by the moniker grid computing.

Although it was named, it was hard to achieve in the past because the cost of bandwidth made it impractical: only 10 or 15 years ago, a physician would pay thousands of dollars a month for the blistering high-speed connectivity that powers the cloud. Thanks to cheap, ubiquitous broadband, it can now become an affordable reality.

The benefits of this new reality will probably, eventually, accrue most to smaller outfits: private practices or rural hospitals that can't afford to waste resources setting up their own IT departments and who don't want the stress of making sure their data is protected by point-in-time redundancies and other standard back-up protocols. With cloud, someone else is doing it for them.

"It reduces the technology [demands] for medical practices. We really see it as the solution for smaller private practices who don't have lots of infrastructure and who won't need to pay for installations," says Emily Peters, a spokeswoman for Practice Fusion.

Although a Software-as-Service (SaaS) provider - like Gmail - rather than a Storage as Service provider (or SaaS, and yes, it's confusing) - like, say, Amazon's S3 web-based storage service - Practice Fusion does house all EMRs in their own Texas and Florida-based data centers. She notes that a typical EMR software and storage installation for a doctor's office could reach $40,000 per user, so an average three-person practice might be set back $120,000 putting in a full records system and the means to back it up. Practice Fusion is free (and "paid for" through Gmail-like targeted advertising).

"If there's one thing I would say that often gets lost in the noise, it's that the cloud is about economics. Cloud storage is an economic delivery model for access to storage, and it's not about a new technology. It's a new way of doing the same thing we've done before," Kermani notes.

Big picture cost savings

But is it truly economical? In general, cloud storage providers charge around 10 to 25 cents per gigabyte of data transmitted to, or from, the cloud (in other words, downloading or uploading), as well as a monthly maintenance fee. For health care centers moving or accessing a lot of data, these costs can add up.

But Nirvanix, a San Diego-Calif.-based cloud storage company, argues that the cost savings of cloud storage over the traditional medium of tape are realized when taking into account the whole project.

"We have some of our enterprise customers telling us our costs are at or below their long term costs of ownership of tape," Nirvanix CEO Jim Zierick tells DOTmed News. This is because while the tape itself doesn't have any "costs" month to month, it does require an expensive IT department to maintain it as well as programs and procedures to back it up and store it.

"[Cloud] does compare favorably to tape, when you consider all the costs of tape storage: all the costs include not only buying the tape drive and buying new tapes, but the costs of sending them off-site, the costs of retrieving them, and the real challenge to the cost of tape, how do I make sure I can get back the images I put on the tape five or ten years ago?"

As technology advances, Zierick notes, health care centers have to waste space holding onto old technology that can read old tapes in case they need to be accessed.

While Nirvanix says cautious health care centers have yet to fully embrace the cloud platform, some are starting to warm to it. Beth Israel Deaconess Medical Center, a top-ranked academic hospital in Boston, Mass., recently began moving its PACS cardiology images off a DVD jukebox and onto cloud storage.

"The whole benefit of public cloud is that you don't have a huge IT staff. You can have data scale without having to buy the whole data center," says Michael Passe, storage architect for Beth Israel, which incidentally, has a large and well-managed IT staff.

But is it safe?

Although Beth Israel is exploring the clouds, they're doing so cautiously. Passe says they have shoveled around 10 percent of the cardiology PACS onto a cloud service, but it is a private, not a public one. Unlike cloud storage hosted by Amazon, Microsoft or the other big providers, where data from several users inhabit the same data space in centers off-site, private cloud is hosted in-house but can be accessed from any portal on-site. At Beth Israel, it's run using EMC's Atmos product and a privately circuited line leased from Verizon.

It is, Passe says, a way for them to test cloud without really committing themselves to it --- something Passe is, at this stage, reluctant to do. Simply put, Passe considers public clouds too risky.

"For us, because of security and new tech, it made most sense to invest in private," he says.

Security and safety are troubling after several well-publicized health care leaks. According to a recent HIMSS survey, nearly 60 percent of online hacks attack medical record, although in fairness it should be noted that none of the breaches have been in the cloud.

But that doesn't mean it won't happen. "Look, every once in a while someone hacks into a big e-commerce database and steals a bunch of credit cards. Security breaches will occur, and it's 100 percent assured they will occur in the cloud," Kermani warns.

Passe believes the two weakest links are security of transmission and the ability to audit access. In other words, how secure is the data when it leaves the facility, pulsing through fiber optic lines and making its way to the data center, and do you have a paper trail to track whoever has been accessing it?

"I don't think actual patient records will go into the cloud any time soon," he says. He foresees the first use to be unidentified data packets used in collaborative research. Cloud-hosting the packets would make it easy for researchers scattered around different hospitals or laboratories to pull down the data but in the event of a breach, no one's privacy would be compromised.

"We wouldn't be quick to embrace it," Passe says. "There are enough things going on in Boston health care. You don't want to be on page one because of a data spill or data leak."

Equally important, there are privacy concerns that relate to HIPAA.

Hip to HIPAA

Passed in 1996 and amended to its current form in 2003, the Health Insurance Portability and Accountability Act (HIPAA) is a complex suite of rules governing in part how confidential medical information can be shared and accessed.

The near consensus among privacy advocates and health care providers is that it's creaky, leaky and outdated. "HIPAA is a fib," says Pam Dixon, executive director of the World Privacy Forum. She and her Cardiff by the Sea-based organization have helped shape privacy and medical reporting law in California and regularly consult with state and federal government to develop tougher medical privacy laws.

Still, HIPAA's better than nothing, and even its flawed protections are generally held to be worthwhile. And regardless of its merits, the government can enforce compliance.

Which brings us to one of the main dangers with cloud: ensuring that HIPAA-covered entities - such as health care providers - are legally acceptable when putting personal health records in cloud storage.

Although it's easy to think of data in the cloud as nebulous vapors passing from site to site, the bits and blips of data are actually stored on slivers of silicon or other materials in a real-world physical location: one that could be outside the country, thereby putting it in violation of HIPAA agreements (all HIPAA-protected data must be in-country) and not subject to its protections.

"If the records are stored abroad, the only legal protections would be the contract the service provider signed with that organization or business entity. They don't have the force of law in the same way," says Dixon. "It's a whole different ballgame, and it's not HIPAA."

That's not all. Under HIPAA rules, any health care provider who wants to upload sensitive, identifiable patient records to the cloud must enter into a business associate agreement with the cloud host, which then requires the host to obey HIPAA guidelines about limiting access to the data and providing full audits of that access.

But asks Dixon, "Is a cloud provider a business associate? There's a lot of discussion about that."

"Here's where the rub is," she says. "A health care provider subject to HIPAA absolutely may not store a patient record in a storage business without that business associate agreement. But what are those cloud provider's terms of service? We've seen TOS that basically say we can publish any information for ad-serving purposes stored on our network. That doesn't jibe with HIPAA," she notes.

Nonetheless, Dixon acknowledges that electronic health records - perhaps stored in the cloud - are the future. Because of these complexities of complying with HIPAA, she believes there could be a place for specialty cloud providers working in the medical field who promise, for instance, not to offshore HIPAA-covered sensitive patient medical records.

Economies of scale

Yet, despite its risks, in many ways cloud could, ultimately, improve security.

"It's about separating fact from perception," Kermani says. "The perception is if it's outside of my walls it's less secure, but that's not entirely true."

After all, most data loss from hospitals or insurers has been through hardware theft, not cyber break-ins. As Practice Fusion's Peters puts it, "It's much easier to have a computer lost or stolen than to have someone go Mission Impossible and hack into your system."

But the main reason for beefier security is econ 101: economies of scale. A cloud provider can devote the resources to creating a world-class security system that would be impossible for a slew of smaller health care centers.

"If you pick the right [cloud] provider, they've spent a lot of money making sure the data center is secure, whereas if you put it in the data guy's closet, and he forgets to lock his door or he gets fired, and takes the keys and takes the tapes away, it's a lot less secure," Bycast's Kermani says.

For instance, Practice Fusion's CEO Howard tells DOTmed News that his company provides what he calls Fortune 500-level physical security. Data sites allow access only after employees undergo a biometric (thumbprint) scan, and all client data are stored in disaster-resistant cages.

Cloud provider Nirvanix says it also employs so-called Tier III data centers, a classification that ensures point-in-time redundancy copies of all datasets, power supply back-ups, reliable network connections and disaster-recovery protections. As with many of the cloud providers, Nirvanix sends all data over virtual private networks. These networks are shared circuits that limit access only to those parties sending and receiving.

And, like other leading cloud providers, all data are encrypted, both when transmitted and when they're hosted in the cloud, so even if they somehow got stolen they would yield little to most thieves.

And then there's auditing, tracking all access to data. Nirvanix's Zierick says they follow the SAS 70 security protocols, which gained popularity with financial firms eager to comply with Sarbanes-Oxley, a law that controls business auditing practices.

"Every transaction is logged, and customers can print out reports to say when files were uploaded and downloaded as well as internal reporting structures that show operations of our people in managing that data," says Zierick.

What to look for

So, for health centers looking to move to the cloud, how do they choose a provider?

First, buy from a trusted brand. As with the early days of e-commerce, Kermani suggests only doing business with the big names. "People have less of a problem going to a reputable e-commerce site, rather than going to Moe's discount site for whatever," he says. "I think at the end of the day, if it's not a top name brand there's a leap of faith."

And remember that cloud storage is a marriage, not a fling, and as with any long-term relationship it pays to know who your partner is.

"When you put your medical images [in cloud storage], you're not committing for two days, but for 5 or 10 years. You need assurances for longevity of the vendor. If they go [bankrupt] and you can't get your data back, they can be as secure as you possibly want," Kermani cautions.

Before signing up for a 10-year agreement, Kermani suggests asking if the company itself has been around for 10 years. "If it's a VC-funded, all-star team, all they're trying to do is sell their company, cash out and go sit on the beach. I think that's the way it is," he says.

And the vendor should have the right sort of data center security infrastructure certified and tested by third-party audits. The audits should cover physical security (such as biometric scan access to data centers), hardware security, firewalls and data encryption, says Howard.

The site should also provide you with audit trails cataloging obsessively every transaction, so you know whether someone has been in there and what they've seen - a feature essential especially for health centers in California, where a recent "no peep" law levies punishing fines on providers whose confidential patient records get seen by people who shouldn't see them.

What's most important of all? The fine print: a service level agreement that keeps your data in-country and that guarantees availability.

"The ideal cloud storage: you put your data in, and you don't worry about it and it comes with a service level agreement that says it's protected. You don't have to back it up. You put it there and it's done," says Kermani.

To ensure your TOS agreements say what you need them to say, they should be reviewed by a lawyer - one well-versed in medicine and cloud technology.

"Most physicians don't have that kind of legal background," says World Privacy Forum's Dixon. "Most of these TOS can run in excess of 100 pages. You need someone who has been through this before and can cut through that thicket."

"Litigation is going to be novel," she adds "and it's going to be expensive when it starts happening."