By Inhel Rekik
Cloud computing is currently very on trend and represents an important shift in the way businesses think about IT resources. It’s not uncommon today for HTM departments to purchase a cloud-based medical solution. An example can be a cloud-based image archiving system or imaging processing software used in conjunction with a CT scanner, MRI or a Gamma Camera to assist in the diagnosis of certain diseases. The cloud component can be simply sending usage statistics to request authorization to use the software or sending the images for additional processing before they are retrieved back. HTM may also encounter a completely cloud-based solution such as some of the modern asset management systems and image archiving systems.
So, what should an HTM know about cloud solutions? What security concerns should they be aware of in today’s environment?
NIST defines cloud computing as “a model of enabling convenient, on-demand network access to a shared pool of configurable computing resources (eg. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
From an IT standpoint, cloud computing offers a host of advantages with the main ones being flexibility, optimization of resources and faster cycle of innovation. Organizations typically only use 10% to 20% of their computing resources. A cloud architecture makes it easy for organizations to scale up or down on the resources used and liberate those that are not being used. This leads to quicker deployment of applications and the need for fewer on-premise servers as well as solution testing without significant capital investments. And, let’s not forget the seamless infrastructure refresh without needing to invest any additional funds.
Cloud computing can be provided either as public hosting for several unrelated organizations or private hosting for large ones wanting more control. Not to confuse private cloud with virtualization – cloud carries some assumptions about architecture, workload manageability, provisioning automation and user self-service.
Different types of cloud services provided include: Infrastructure as a Service (IaaS); Platform as a Service (PaaS); and Software as a Service (SaaS).
Cloud computing shifts the computing cost from capital (CAPEX) to operating (OPEX). As an IT-savvy HTM, you will need to know that some cloud-based software or SaaS solutions can be capitalized if they meet the following criteria: you can get a hold of the software during the hosting period and you can install it in your environment or have another party host it in your behalf. I will always recommend engaging your finance department as early as possible in the process.
Even though cloud computing reduces the number of the on-premise servers an organization needs to have, and the headcount needed to maintain servers, it doesn’t always lead to cost savings. Depending on how often the service is used and the workload you need, it might be more cost effective to own the infrastructure.
Public clouds carry a host of security concerns. There is a loss of control over sensitive data. Does the cloud provider encrypt the data? Do they have a backup of the data? Where are they storing the data? For organizations that store data across states or countries there are several law and regulations that must be considered. Breach notification law can be different between jurisdictions. If the data is involved in a criminal case, the country and state where it is stored dictates the level of control the government has on it. Business data can be held hostage of an investigation.
Availability of audit logs may also be limited or nonexistent from the cloud provider – which makes the actual level of security difficult to assess.
To mitigate some of these risk, some provisions can be added to the service level agreement with a cloud service provider such as: client right to audit, indemnity clauses to mitigate impacts caused by the cloud service provider, requirements for Incident Response Planning (IRP) and Business Continuity Planning (BCP), integrity and confidentiality of business data.
When selecting a cloud solution, get your IT security team involved in the selection process so you can make an informed decision. It’s clear that cloud solutions are going to be more prevalent in health care delivery organizations.
Inhel Rekik, MS, is the director of health technology security at MedStar Health in Columbia, Maryland.
