View
444
Download
3
Category
Tags:
Preview:
DESCRIPTION
Slides from June 19th HC3 Kickoff meeting HC3 Overview Adam Greene What is the Cloud? Hemant Pathak The Disruptive Cloud Anish Sebastian The Practical Cloud Pete Celano
Citation preview
Networking BreakfastPresentations Start at 9AM ET
Logistics & Agenda
Grant Elliott
CEO, Ostendio, Inc.
@HCCColaition
#HC3
@HCCCoalition #HC3
Event Sponsors
@HCCCoalition #HC3
Agenda
8:30am Networking breakfast (sponsored by Davis Wright Tremaine LLP)
9:00am HC3 Overview Adam Greene
9:30am What is the Cloud? Hemant Pathak
10:00am The Disruptive Cloud Anish Sebastian
10:20am The Practical Cloud Pete Celano
10:40am Panel Discussion & QA Moderated by Shahid Shah
(Hemant Pathak, Chad Kissinger, Sandeep Pulim, Adam Greene)
11:30am HC3 Wrap up Adam Greene
Noon End
@HCCCoalition #HC3
Questions & Comments
Send questions to @HCCCoalition #HC3
Addressing Regulatory Challenges of Bringing Health Care to the Cloud
Adam H. Greene, JD, MPH
Partner, Davis Wright Tremaine LLP
@HCCCoalition #HC3
The Challenges
Cloud computing and cloud-based mobile
technology can improve health care and reduce
costs, but…
@HCCCoalition #HC3
The Challenges
Health care is not fully leveraging cloud
technology because of lack of trust in information
security
@HCCCoalition #HC3
The Challenges
Where health care entities leverage cloud computing, there are too many inefficiencies:
A sea of different information security questionnairesConfusion and disagreement over business associate agreement terms
Confusion over information security responsibilities
@HCCCoalition #HC3
The Challenges
A lack of HHS guidance on how HIPAA applies to cloud computing:
What if cloud vendor was unaware it was hosting PHI for a covered entity?
No guidance or audit protocols specific to business associates
How to handle patients rights and breaches when you may not know what information you have
@HCCCoalition #HC3
The Challenges
The price of entry for small companies into health care is too high
because of this confusion.
@HCCCoalition #HC3
The Mission of HC3
Reduce obstacles to the health care sector leveraging cloud computing technology. Promote innovation by reducing health care compliance burdens on health care technology companies.
@HCCCoalition #HC3
The Objectives of HC3
1. Understanding – Create an accepted framework for health care and cloud computing
@HCCCoalition #HC3
The Objectives of HC3
Develop internal guidance on how
HIPAA applies to cloud computing.
@HCCCoalition #HC3
The Objectives of HC3
Develop tools, such as:
Sample business associate agreement provisions, to address unique cloud computing issues
Notices that clearly identify each party’s security responsibilities
A self-audit protocol for cloud computing providers
@HCCCoalition #HC3
The Objectives of HC3
Work with health care providers and other associations (e.g., HIMSS, Cloud Security Alliance) to obtain feedback and promote the tools and guidance.
@HCCCoalition #HC3
The Objectives of HC3
2. Trust – Build trust in cloud computing and regulatory compliance through an accepted accreditation/certification process or other programs.
@HCCCoalition #HC3
The Objectives of HC3
Certification needs to be: Focused on health care (e.g., HIPAA, Alcohol and Substance Abuse Treatment Confidentiality)
Focused on cloud computingScalable (e.g., works for both large IaaS provider and small SaaS provider that does not host its own data)
@HCCCoalition #HC3
The Objectives of HC3
Not looking to reinvent the wheel. Adopt and promote any existing or upcoming
certifications/accreditations that meet our needs. Tweak any existing certifications/accreditations
that get us 90% of the way there.
@HCCCoalition #HC3
The Objectives of HC3
3. Government Outreach – Seek regulatory guidance from HHS and other relevant agencies. Maintain outreach and transparency with the government.
@HCCCoalition #HC3
The Objectives of HC3
4. What else?
@HCCCoalition #HC3
Next Steps?Discuss the scope of what HC3
will initially take on.
Volunteers
Health Care Cloud CoalitionLegal considerations with cloud
computing
A View From The Cloud Vendor. Insight on the HIPAA Omnibus Rule, Cloud Privacy & Security, and HIPAA
Enforcement
Hemant Pathak, Assistant General Counsel, Microsoft
@HCCCoalition #HC3
What are the types of cloud model we are going to discuss today?
Enterprise Cloud Three types of cloud services: SaaS, PaaS, IaaS Public, Private, Hybrid Always available Per user, consumption buying model Data and services with a common delivery model in
shared data centers Different from traditional “outsourcing”
@HCCCoalition #HC3
Why do customers choose cloud services?
On demand scalability, reliability and flexibility of computing resources, updates, interoperability and tech support
Reduction of infrastructure costs & complexities at very large economies of scale across the board (electricity, network bandwidth, operations, SW & HW). Organizations can “get out” of the Data Center business
The right vendor can address state of the art security & privacy protocols to help customers address their compliance requirements in a highly regulated industry
@HCCCoalition #HC3
From the cloud service provider (CSP) perspective – what are contracting expectations?
Cloud services are configurable, but generally not customizable
SLA, Service Descriptions, Security Descriptions Contract terms that require unique requirements for
service for one individual subscriber are not scalable Pre-Sales CSP & customer partnership and due
diligence on contract terms and solution alignment reduces risk now and in the future for both parties Ensure compliance with laws and corporate policies Protect brand and reputation for both parties
@HCCCoalition #HC3
From the customer perspective – what are contracting expectations?
Where and how is data stored? Clear data maps and geographic boundary information Data
must be encrypted wherever possible
Who has access and what is accessed? Core customer data must be accessed only for service
delivery, troubleshooting, migration and malware prevention purposes on an exception basis and all access should be logged
Who owns data? The Customer. Data must be fully portable and retrievable
Who pays for costs related to security breaches? Commercial term addressed by the parties
@HCCCoalition #HC3
Security & Privacy – How do you get assurances?
Security Physical Data Center standards Secure Networks Automated operations Robust breach prevention, detection and mitigation
Compliance -Cloud Service Providers (CSP) should address regulatory standards E.g. - ISO 27001, HIPAA BAA
Federal Trade Commission Watchdog groups Healthcare agencies DHHS
Independent Audit & Verification
@HCCCoalition #HC3
What are questions Customers ask a potential CSP?
Security & Privacy Compliance Does the cloud vendor offer a BAA Does the BAA contain all required HIPAA terms Does the CSP stipulate to comply with breach notification rule, timely reporting,
appropriate and transparent limitations on use & disclosure and “minimum necessary”
Embedded technical, physical and administrative safeguards in support of HIPAA Data mining – will my cloud provider use my data for advertising, marketing or
other commercial purpose w/o my consent Does CSP have transparent and robust process on addressing third party
requests for data?
Clinical centered care strategies Compliance across collaboration modes through audio, video & messaging
HealthCare Enterprise Ready
@HCCCoalition #HC3
What are consequences of non-compliance?
Phoenix Cardiac Surgery Fined $100,000 by DHHS for failure to obtain a BAA
“Covered Entity failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public email providers that these entities would appropriately safeguard the ePHI received from Covered Entity.”
Oregon Health & Science University Negative PR stemming from breach involving storing a spreadsheet of
patient data with cloud service which was not a business associate.
DHHS Regulator Quotes“If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don't use the cloud service.”
“…cloud services [are] under direct regulations of HIPAA…,"
@HCCCoalition #HC3
Conclusion
Health Care Providers moving to the cloud want to choose a CSP that has been proven trustworthy and that they can trust.
Transparency about compliance, security and privacy practices and use of data is the key to trust.
Transparency allows customers to determine whether using a given cloud offering helps them to be compliant with applicable regulations and corporate policy.
@HCCCoalition #HC3
QUESTIONS?
The Disruptive Cloud – How the cloud is helping me drive innovation
Anish Sebastian Co-founder 1EQ
@HCCCoalition #HC3
The Cloud
@HCCCoalition #HC3
The Cloud = 10X Improvement!
Ease of Use Scalability Risk and Reliability Cost Security Connectivity
@HCCCoalition #HC3
Ease of Use
@HCCCoalition #HC3
Ease of Use
Deploy infrastructure quickly with no need for system admin No cabling, racking,
unboxing or buying Software now controls the
infrastructure Control your servers with
the click of a mouse
@HCCCoalition #HC3
Scalability
@HCCCoalition #HC3
Scalability
Can adjust to min by min variation in demand
Nothing to purchase and take delivery
Increase innovation, by removing “too scared to try” syndrome
Go global in a matter of seconds (co-location)
@HCCCoalition #HC3
Risk and Reliability
Cancel immediately Change instantly, even OS Rebuilt instantly No long term contracts Based on enterprise grade
hardware Employ best practices in IT:
Design for failure Control framework Disaster recovery
@HCCCoalition #HC3
Cost
Pay for only what you use – nothing up front and pay as you go
Zero cap Ex = lower burn rate = happy investors!
Cloud has economies of scale, business model based on volume not margin
Since we started using amazon, prices have gone down
@HCCCoalition #HC3
Security
Architected for enterprise security requirements
More than likely more secure than what you can normally build yourself
AWS White paper on HIPPA Ability to quickly fix security holes
and keep up with new compliance standards.
@HCCCoalition #HC3
Being an “aaS”
SaaS – Software as a Service
PaaS – Platform as a Service
IaaS – Infrastructure as a Service
@HCCCoalition #HC3
The Cloud Pyramid
IaaS
PaaS
SaaS
Broad
Niche
@HCCCoalition #HC3
The cloud Pyramid
IaaS
PaaS
SaaS
Developers
Users
Network Engineers
@HCCCoalition #HC3
The cloud Pyramid
IaaS
PaaS
SaaSGoogle Apps, Heroku, Salesforce Windows Azure
SendGrid, Mailchip, TwilllioZendesk, ……..a lot more
Amazon, Racksapce
@HCCCoalition #HC3
The cloud Pyramid – Applications long tail effect.
• The long tail is directly an impact of the cloud.
• They all talk to each other.
@HCCCoalition #HC3
Connectivity
This long tail of products connect to the cloud via API
It has fueled a new era of API Allows for various SaaS
companies to stitch together a whole series of services generally via API
Everything is connected to everyone
@HCCCoalition #HC3
Differentiation
Bottom Line: The cloud allows you to focus on what
truly makes you different Let’s you outsource commoditized
services and services that are not your core competencies.
@HCCCoalition #HC3
What does the future look like?
The Answer is in the Cloud
Pete Celano
MedStar Institute for Innovation
www.mi2.org
@HCCCoalition #HC3
Mission
Extend Access to the Poor/Rural
Reduce Costs
Better Outcomes
New Revenue
@HCCCoalition #HC3
New World
Old World: EMR(s) is what you have
New World: Innovate “north” of the EMR.
And bolt-in.
@HCCCoalition #HC3
Focus Areas
1. Capacity Utilization
2. Extending the Site of Service
3. Flowing Data to Docs
@HCCCoalition #HC3
5-Step Process
1. What problem are we trying to solve, and RoI?
2. Balance Sheet Test
3. Our BAA
4. Pilot Fast
5. Take it Wide if Pilot Works & Economics are Verified
@HCCCoalition #HC3
Five Predictions
1. Only more inventors will run-not-walk to healthcare
2. EMR vendors will be acquiring right & left in 2015 and beyond
3. Solutions will start breaking Provider-only and Provider-Payer (“Provayer?”)
4. Virtual Visits will take off like a rocket
5. Apple’s HealthKit et al will finally make Remote Patient Monitoring relevant.
Panel Discussion and Q&A10:40AM – 11:30AM
• Hemant Pathak (Microsoft)• Chad Kissinger (OnRamp)• Sandeep Pulim (@Point of Care 360)• Adam Greene (Davis Wright Tremaine LLP)
- Moderated by Shahid Shah, Netspective
Recommended