HC3 Kickoff presentations - June 19, 2014

Networking BreakfastPresentations Start at 9AM ET

Logistics & Agenda

Grant Elliott

CEO, Ostendio, Inc.

@HCCColaition

#HC3

@HCCCoalition #HC3

Event Sponsors

@HCCCoalition #HC3

Agenda

8:30am  Networking breakfast (sponsored by Davis Wright Tremaine LLP)

9:00am  HC3 Overview Adam Greene

9:30am  What is the Cloud?   Hemant Pathak

10:00am  The Disruptive Cloud Anish Sebastian

10:20am  The Practical Cloud Pete Celano

10:40am  Panel Discussion & QA Moderated by Shahid Shah

(Hemant Pathak, Chad Kissinger, Sandeep Pulim, Adam Greene)

11:30am  HC3 Wrap up Adam Greene

Noon End

@HCCCoalition #HC3

Questions & Comments

Send questions to @HCCCoalition #HC3

Addressing Regulatory Challenges of Bringing Health Care to the Cloud

Adam H. Greene, JD, MPH

Partner, Davis Wright Tremaine LLP

@HCCCoalition #HC3

The Challenges

Cloud computing and cloud-based mobile

technology can improve health care and reduce

costs, but…

@HCCCoalition #HC3

The Challenges

Health care is not fully leveraging cloud

technology because of lack of trust in information

security

@HCCCoalition #HC3

The Challenges

Where health care entities leverage cloud computing, there are too many inefficiencies:

A sea of different information security questionnairesConfusion and disagreement over business associate agreement terms

Confusion over information security responsibilities

@HCCCoalition #HC3

The Challenges

A lack of HHS guidance on how HIPAA applies to cloud computing:

What if cloud vendor was unaware it was hosting PHI for a covered entity?

No guidance or audit protocols specific to business associates

How to handle patients rights and breaches when you may not know what information you have

@HCCCoalition #HC3

The Challenges

The price of entry for small companies into health care is too high

because of this confusion.

@HCCCoalition #HC3

The Mission of HC3

Reduce obstacles to the health care sector leveraging cloud computing technology. Promote innovation by reducing health care compliance burdens on health care technology companies.

@HCCCoalition #HC3

The Objectives of HC3

1. Understanding – Create an accepted framework for health care and cloud computing

@HCCCoalition #HC3

The Objectives of HC3

Develop internal guidance on how

HIPAA applies to cloud computing.

@HCCCoalition #HC3

The Objectives of HC3

Develop tools, such as:

Sample business associate agreement provisions, to address unique cloud computing issues

Notices that clearly identify each party’s security responsibilities

A self-audit protocol for cloud computing providers

@HCCCoalition #HC3

The Objectives of HC3

Work with health care providers and other associations (e.g., HIMSS, Cloud Security Alliance) to obtain feedback and promote the tools and guidance.

@HCCCoalition #HC3

The Objectives of HC3

2. Trust – Build trust in cloud computing and regulatory compliance through an accepted accreditation/certification process or other programs.

@HCCCoalition #HC3

The Objectives of HC3

Certification needs to be: Focused on health care (e.g., HIPAA, Alcohol and Substance Abuse Treatment Confidentiality)

Focused on cloud computingScalable (e.g., works for both large IaaS provider and small SaaS provider that does not host its own data)

@HCCCoalition #HC3

The Objectives of HC3

Not looking to reinvent the wheel. Adopt and promote any existing or upcoming

certifications/accreditations that meet our needs. Tweak any existing certifications/accreditations

that get us 90% of the way there.

@HCCCoalition #HC3

The Objectives of HC3

3. Government Outreach – Seek regulatory guidance from HHS and other relevant agencies. Maintain outreach and transparency with the government.

@HCCCoalition #HC3

The Objectives of HC3

4. What else?

@HCCCoalition #HC3

Next Steps?Discuss the scope of what HC3

will initially take on.

Volunteers

Health Care Cloud CoalitionLegal considerations with cloud

computing

A View From The Cloud Vendor. Insight on the HIPAA Omnibus Rule, Cloud Privacy & Security, and HIPAA

Enforcement

Hemant Pathak, Assistant General Counsel, Microsoft

@HCCCoalition #HC3

What are the types of cloud model we are going to discuss today?

Enterprise Cloud Three types of cloud services: SaaS, PaaS, IaaS Public, Private, Hybrid Always available Per user, consumption buying model Data and services with a common delivery model in

shared data centers Different from traditional “outsourcing”

@HCCCoalition #HC3

Why do customers choose cloud services?

On demand scalability, reliability and flexibility of computing resources, updates, interoperability and tech support

Reduction of infrastructure costs & complexities at very large economies of scale across the board (electricity, network bandwidth, operations, SW & HW). Organizations can “get out” of the Data Center business

The right vendor can address state of the art security & privacy protocols to help customers address their compliance requirements in a highly regulated industry

@HCCCoalition #HC3

From the cloud service provider (CSP) perspective – what are contracting expectations?

Cloud services are configurable, but generally not customizable

SLA, Service Descriptions, Security Descriptions Contract terms that require unique requirements for

service for one individual subscriber are not scalable Pre-Sales CSP & customer partnership and due

diligence on contract terms and solution alignment reduces risk now and in the future for both parties Ensure compliance with laws and corporate policies Protect brand and reputation for both parties

@HCCCoalition #HC3

From the customer perspective – what are contracting expectations?

Where and how is data stored? Clear data maps and geographic boundary information Data

must be encrypted wherever possible

Who has access and what is accessed? Core customer data must be accessed only for service

delivery, troubleshooting, migration and malware prevention purposes on an exception basis and all access should be logged

Who owns data? The Customer. Data must be fully portable and retrievable

Who pays for costs related to security breaches? Commercial term addressed by the parties

@HCCCoalition #HC3

Security & Privacy – How do you get assurances?

Security Physical Data Center standards Secure Networks Automated operations Robust breach prevention, detection and mitigation

Compliance -Cloud Service Providers (CSP) should address regulatory standards E.g. - ISO 27001, HIPAA BAA

Federal Trade Commission Watchdog groups Healthcare agencies DHHS

Independent Audit & Verification

@HCCCoalition #HC3

What are questions Customers ask a potential CSP?

Security & Privacy Compliance Does the cloud vendor offer a BAA Does the BAA contain all required HIPAA terms Does the CSP stipulate to comply with breach notification rule, timely reporting,

appropriate and transparent limitations on use & disclosure and “minimum necessary”

Embedded technical, physical and administrative safeguards in support of HIPAA Data mining – will my cloud provider use my data for advertising, marketing or

other commercial purpose w/o my consent Does CSP have transparent and robust process on addressing third party

requests for data?

Clinical centered care strategies Compliance across collaboration modes through audio, video & messaging

HealthCare Enterprise Ready

@HCCCoalition #HC3

What are consequences of non-compliance?

Phoenix Cardiac Surgery Fined $100,000 by DHHS for failure to obtain a BAA

“Covered Entity failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public email providers that these entities would appropriately safeguard the ePHI received from Covered Entity.”

Oregon Health & Science University Negative PR stemming from breach involving storing a spreadsheet of

patient data with cloud service which was not a business associate.

DHHS Regulator Quotes“If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don't use the cloud service.”

“…cloud services [are] under direct regulations of HIPAA…,"

@HCCCoalition #HC3

Conclusion

Health Care Providers moving to the cloud want to choose a CSP that has been proven trustworthy and that they can trust.

Transparency about compliance, security and privacy practices and use of data is the key to trust.

Transparency allows customers to determine whether using a given cloud offering helps them to be compliant with applicable regulations and corporate policy.

@HCCCoalition #HC3

QUESTIONS?

The Disruptive Cloud – How the cloud is helping me drive innovation

Anish Sebastian Co-founder 1EQ

@HCCCoalition #HC3

The Cloud

@HCCCoalition #HC3

The Cloud = 10X Improvement!

Ease of Use Scalability Risk and Reliability Cost Security Connectivity

@HCCCoalition #HC3

Ease of Use

@HCCCoalition #HC3

Ease of Use

Deploy infrastructure quickly with no need for system admin No cabling, racking,

unboxing or buying Software now controls the

infrastructure Control your servers with

the click of a mouse

@HCCCoalition #HC3

Scalability

@HCCCoalition #HC3

Scalability

Can adjust to min by min variation in demand

Nothing to purchase and take delivery

Increase innovation, by removing “too scared to try” syndrome

Go global in a matter of seconds (co-location)

@HCCCoalition #HC3

Risk and Reliability

Cancel immediately Change instantly, even OS Rebuilt instantly No long term contracts Based on enterprise grade

hardware Employ best practices in IT:

Design for failure Control framework Disaster recovery

@HCCCoalition #HC3

Cost

Pay for only what you use – nothing up front and pay as you go

Zero cap Ex = lower burn rate = happy investors!

Cloud has economies of scale, business model based on volume not margin

Since we started using amazon, prices have gone down

@HCCCoalition #HC3

Security

Architected for enterprise security requirements

More than likely more secure than what you can normally build yourself

AWS White paper on HIPPA Ability to quickly fix security holes

and keep up with new compliance standards.

@HCCCoalition #HC3

Being an “aaS”

SaaS – Software as a Service

PaaS – Platform as a Service

IaaS – Infrastructure as a Service

@HCCCoalition #HC3

The Cloud Pyramid

IaaS

PaaS

SaaS

Broad

Niche

@HCCCoalition #HC3

The cloud Pyramid

IaaS

PaaS

SaaS

Developers

Users

Network Engineers

@HCCCoalition #HC3

The cloud Pyramid

IaaS

PaaS

SaaSGoogle Apps, Heroku, Salesforce Windows Azure

SendGrid, Mailchip, TwilllioZendesk, ……..a lot more

Amazon, Racksapce

@HCCCoalition #HC3

The cloud Pyramid – Applications long tail effect.

• The long tail is directly an impact of the cloud.

• They all talk to each other.

@HCCCoalition #HC3

Connectivity

This long tail of products connect to the cloud via API

It has fueled a new era of API Allows for various SaaS

companies to stitch together a whole series of services generally via API

Everything is connected to everyone

@HCCCoalition #HC3

Differentiation

Bottom Line: The cloud allows you to focus on what

truly makes you different Let’s you outsource commoditized

services and services that are not your core competencies.

@HCCCoalition #HC3

What does the future look like?

The Answer is in the Cloud

Pete Celano

MedStar Institute for Innovation

www.mi2.org

@HCCCoalition #HC3

Mission

Extend Access to the Poor/Rural

Reduce Costs

Better Outcomes

New Revenue

@HCCCoalition #HC3

New World

Old World: EMR(s) is what you have

New World: Innovate “north” of the EMR.

And bolt-in.

@HCCCoalition #HC3

Focus Areas

1. Capacity Utilization

2. Extending the Site of Service

3. Flowing Data to Docs

@HCCCoalition #HC3

5-Step Process

1. What problem are we trying to solve, and RoI?

2. Balance Sheet Test

3. Our BAA

4. Pilot Fast

5. Take it Wide if Pilot Works & Economics are Verified

@HCCCoalition #HC3

Five Predictions

1. Only more inventors will run-not-walk to healthcare

2. EMR vendors will be acquiring right & left in 2015 and beyond

3. Solutions will start breaking Provider-only and Provider-Payer (“Provayer?”)

4. Virtual Visits will take off like a rocket

5. Apple’s HealthKit et al will finally make Remote Patient Monitoring relevant.

Panel Discussion and Q&A10:40AM – 11:30AM

• Hemant Pathak (Microsoft)• Chad Kissinger (OnRamp)• Sandeep Pulim (@Point of Care 360)• Adam Greene (Davis Wright Tremaine LLP)

- Moderated by Shahid Shah, Netspective