When health system CIOs evaluate vendors of cloud services, the list of criteria usually includes cost, flexibility, security and regulatory compliance.

Those factors certainly are on the list Mercy Health uses to evaluate potential cloud-based services.

Mercy Health—formerly Catholic Health Partners with 23 hospitals in Ohio and Kentucky—uses cloud services for clinical analytics involving confidential patient health data, physician referral, secure texting and enterprise-wide email.

Mercy Health

It chose PremierConnect Enterprise, a cloud-based enterprise data warehouse and analytics toolset, to store and manage 1 terabyte of data extracted from a variety of sources, including general ledger, admission-discharge-transfer, billing, electronic health records, patient satisfaction surveys and labor utilization.

Mercy also uses a data repository and analytics platform from a second cloud vendor, Explorys, to aggregate data from electronic health records and insurance claims from both Mercy and its partners, including independent physicians, in clinically integrated networks. "That is really hard, hard work—not something we want to have Mercy employees doing," says J.D. Whitlock, vice president of clinical and business intelligence at Mercy Health.
Mercy is just one example of how providers are embracing the cloud for everything from electronic health records and data exchanges to finance and analytics.

Quote
Not surprisingly, the HIMSS Analytics Cloud Survey also found that privacy and security issues were the top factors health systems use to evaluate cloud providers.

In the 2014 HIMSS Analytics Cloud Survey, nearly 83 percent of of the 150 survey respondents said their organizations were using cloud services. Another 9 percent said their organizations planned to use cloud services in the future, while 6 percent said their organizations did not plan to use cloud services in the future.

When asked what their current usage model was, the majority, or 70 percent, said software as a service (SaaS), while 15.3 percent said infrastructure as a service (IaaS) and 2.4 percent platform as a service (PaaS).

Through the survey, HIMSS Analytics also found that the most common use of cloud services was to host clinical applications and data. Other common uses included health information exchange; applications and data for human resources, finance or operations; and disaster and recovery services.

With the explosion of electronic transactions involving patient data coupled with providers' desire to aggregate and analyze that data, experts believe that more health systems will turn to vendors of cloud-based data repositories and analytics tools to tap into technical expertise and resources in a cost-effective manner.

In addition, many EHR vendors offer solutions hosted in the cloud, while others are entirely cloud-based.

"The bottom line is many organizations are looking for ways to reduce their infrastructure costs. That is number one," says Andrew Truscott, managing director of clinical services within the healthcare business at Accenture. Truscott says health systems also gravitate to cloud-based services because they want to scale their computing resources—both up and down—to match their current needs.

While cost-effective and flexible computing may be common drivers behind CIOs' decision to at least evaluate cloud-based services, they consider many other criteria before signing a contract to move applications and data, particularly those involving mission critical or sensitive information, to the cloud.

"Beyond saving money you ought to be looking at helping the organization achieve a tactical or strategic advantage, a level of resiliency, and something they can do faster and better independent of the price point," says Mark Dill, principal consultant at healthcare security firm, tw-Security, and former director of information security at the Cleveland Clinic.

Mercy in the cloud

Mercy is using data models Premier built and business intelligence tools hosted at Premier to build custom reports. The analytics work Mercy does using the Premier-hosted data primarily involves inpatient performance management based on fee-for-service reimbursement models.

"We needed a place to put [this data] in a big-data capable enterprise-data warehouse," says Whitlock. "We could have either built an enterprise data warehouse ourselves, or gone with one of the vendors that does this."

Mercy chose a cloud solution as a cost-effective alternative to the investment that would have been necessary—including hardware, software, and personnel—to build and maintain this enterprise warehouse internally, he says. The fact that Mercy had had a long-term relationship with Premier involving other products and services also factored into the decision.

Using Explorys, Mercy risk-stratifies patients and attributes them to the appropriate primary-care physicians. It also provides electronic patient registries to its internal and external physicians.

Security still a concern

Not surprisingly, the HIMSS Analytics Cloud Survey also found that privacy and security issues were the top factors health systems use to evaluate cloud providers.

Dill recommends that health systems develop a plan upfront for "what sensitivity of data you are going to even allow in which types of cloud services." Dill classifies data as public, internal documentation, or regulated data, which includes protected health information, social security numbers, and credit card data.

In the in the wake of very large breaches of sensitive data that occurred in 2014 and 2015 involving cyber attacks, such as at health insurers Anthem and Premera Blue Cross, Truscott says, "most health systems are doubling back and refocusing back upon their security and privacy provisions and just saying, ‘are we getting this right or not?'"

Matt Eversole, vice president and chief operating officer for information technology at Mercy Health, says news about breaches in healthcare as well as other industries "has caused us to pull back a little bit from consideration of (new) cloud services."

Eversole says his 12-person IT security team is re-evaluating its procedures and processes to assess the protocols and technologies cloud vendors have in place to protect confidential data. The goal is to become more comprehensive in evaluating information about vendors' audited cybersecurity controls, recently completed risk assessments and audit results, and processes for incident response, among others. They also are considering whether to require cloud vendors to carry appropriate levels of cyberinsurance.

Data security also is a key concern at Cook Children's Health Care System.

The health system selected athenahealth in 2009 to provide electronic health records and practice management software to its primary- and specialty-care medical offices via the cloud. Since then, Cook has added other cloud-based products. Examples include Salesforce—which provides customer relationship-management solutions, including for service desks—and Pascal Metrics' cloud-based analytical tools to track, manage and analyze patient safety issues.

The health system conducts a security assessment of all potential cloud vendors and has scuttled potential deals after concluding that vendors' security processes were not adequate, says Theresa Meadows, senior vice president and CIO at the Fort Worth, Texas-based pediatric system that includes two hospitals, a health plan, physician network and home health services.

The Cleveland Clinic had comprehensive evaluation processes in place when Dill, who retired from the academic medical center in 2015, was director of information security. He worked with the legal and privacy departments to vet vendors being considered for contracts involving sensitive data. Dill investigated the maturity of vendors' security policies and practices, and the privacy department analyzed vendors' processes to audit how its employees handle the data.

"You have to ask your vendors the same questions you would be asking your own organization," he says. Those questions should evaluate vendors' protocols around securing data, how data is encrypted and who has access to the keys, how employees who have access to the infrastructure are vetted, how repairs are handled and hard drives sanitized, and what level of service a cloud provider has acquired from its cloud providers, he says.

Laws and regulations

Beyond security, protecting patients' confidential health information in accordance with federal laws and regulations also is a key concern.

The HIPAA Omnibus Rule, which HHS released in 2013, clarified that vendors typically are considered business associates if they receive, maintain or transmit protected health information on behalf of an entity, such as a health system, covered under HIPAA.

Compliance with the rule was one reason Mercy Health signed a contract with Microsoft in 2013 to provide cloud-based email to Mercy Health's 32,000-plus employees. Microsoft was the only vendor willing to sign a business associate agreement and "accept some kind of accountability for the protection of the data," Eversole recalls.

While email certainly isn't an ideal medium for sharing patient health information, some individually identifiable health information could end up in email messages. That is why Mercy developed policies to restrict the inclusion of patients' health information in emails, but also provided a mechanism to encrypt the data.

Daniel F. Gottlieb, partner in the law firm, McDermott Will & Emery, says even with applications that appear to be far removed from direct patient care—such as inventory management, payroll or ERP systems—it is still possible that an employee could upload some personally identifiable health information, which would trigger HIPAA requirements for a business associate agreement.

Some vendors will "include covenants in their agreements where the customer agrees that the customer will not upload any HIPAA protected health information into the service," he says. "What sometimes happens is the customer does upload PHI into the service even though there is not a business associate agreement in place."

Cook Children's Health Care System follows most of the same privacy and security policies for all cloud services vendors—even if they aren't involved with patient health data. As Meadows explains, "We don't want a breach of employee data or a breach of corporate data."

The contract process also can get bogged down by liability issues.

A sticking point between health systems and vendors sometimes occurs over how much liability the vendor is willing to assume in the event of a data breach. Health systems typically want vendors to assume all liability because the vendors control the data. However, vendors are "very skeptical about doing that," says Truscott. Vendors often want to push "the liability when it comes to a breach back down to the client themselves."

While CIOs may have an underlying assumption that a cloud service will be less expensive than an in-house solution, adopting a cloud service is typically not investment-free

About one half of respondents to the HIMSS Analytics Cloud Survey said their organizations invested in network infrastructure and monitoring capabilities to prepare for a cloud service.

The cost of personnel is another consideration, in the experience of Meadows. When Cook Children's Health Care signed the contract with athenahealth in 2009, "we thought we wouldn't need a support team," she says. The reality turned out to be much different: The health system has "eight or nine" employees assigned to the system to troubleshoot problems, test changes to the software, train end users and handle other responsibilities.

The frequency of vendors' software updates and upgrades also is something to consider from a cost perspective, she says. For example, athenahealth upgrades software monthly, and Meadows' staff must allocate sufficient time to test those changes. "It is Important to put processes in place to do testing." Meadows says. "We have to have a team ready to do testing every month."

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access