Embed Size (px)
Citation preview
Navigating your way to the cloud in healthcare
A practical guide for the healthcare industry in Korea
A Cloud for Global Good
The Digital Transformation of Healthcare in Korea Overview: The four pillars of a successful cloud adoption
Pillar 1: Understanding the regulatory landscape
Case Study: LG CNS
Pillar 2: Full, informed stakeholder involvement
Case Study: Children’s Mercy Hospital
Pillar 3: Partnering with the right cloud services provider
Case Study: Fullerton Healthcare Group
Pillar 4: A robust contract
Putting it into practice
An unprecedented opportunity to transform Korea’s healthcare institutions Further information
1
3
4
6
8
11
12
16
17
19
21
22
1
The Digital Transformation of Healthcare in KoreaWe live in a period of dramatic progress in the quest to improve healthcare services through technology.
As a world leader in broadband penetration and connection speeds, with a long history of investing in advanced technology infrastructure to maintain its global advantage, Korea is uniquely well-placed to benefit from the digital transformation of healthcare.
The opportunity presented by new technologies is recognized at all levels of the healthcare industry in Korea – starting with top-down support from the Ministry of Health and Welfare (MOHW). One of the three core pillars of MOHW’s vision for positioning the country as one of the “World’s Top 7 Biohealth Nations” is the development of medical services powered by technology. From working towards telemedicine as a means of delivering better patient care1 to facilitating advanced data and information sharing, MOHW’s support underlines the potential for technology to transform the healthcare industry in Korea.
Healthcare institutions2 themselves have been quick to reap the benefits of digital transformation. Seoul National University Bundang Hospital is shaping the future of the digital hospital with a next-generation medical information system3; Chosun University Hospital’s tablet deployment has made mobile nursing possible4; Yonsei University Health System is harnessing the cloud for cutting-edge research into predicting (and preventing) the onset of major diseases5; and Asan Medical Center leveraged the power of big data analytics in its early-2017 contest to find better solutions for diagnosing cancer and diseases6.
The above are but some examples of healthcare institutions across the country deploying digital platforms and services to optimise clinical and operational effectiveness, empower care teams, engage with patients and raise the quality of care. Indeed, the healthcare industry in Korea has the opportunity to play a global leadership role in technology as MOHW delivers on its policy objective of creating a “Global Brand for Korean Healthcare”. LG CNS is just one recent example of companies taking Korea’s digital healthcare expertise to the world, entering the medical information market in the United States with a medical information management system powered by the Microsoft Azure cloud platform.
To a large extent, the digital transformation in Korea and around the world is powered by cloud technologies. Cloud computing holds the promise to drive enormous societal and economic benefits at an unprecedented scale and pace. At Microsoft, we believe that to ensure the benefits of cloud computing are broadly shared, a balanced set of policy and technology solutions that will promote positive change is necessary. Korea’s experience exemplifies this. The digital transformation of Korea’s healthcare industry has been complemented by an increasingly supportive regulatory framework, emphasised by the passage of the Cloud Promotion Act, the world’s first legislation focusing specically on the development of cloud computing.
Despite already being a world leader in technology infrastructure, there are still enormous opportunities for future growth in Korea’s digital healthcare industry. In the past, the pace of cloud adoption in Korea’s healthcare industry was slower than in other regulated sectors, largely because of concerns about the regulatory environment.
1 For further information on these initiatives, please refer to https://www.mohw.go.kr/eng/jc/sjc0101mn.jsp?PAR_MENU_ID=1003&MENU_ID=10031802.2 In this paper, we use the term “healthcare institutions” broadly to refer to the full spectrum of public and private sector healthcare operations in Korea.3 See https://customers.microsoft.com/en-us/story/shaping-the-future-of-the-digital-hospital-with-a-nex1.4 See https://enterprise.microsoft.com/en-us/customer-story/industries/health/windows-8-tablet-pc-makes-possible-a-kind-of-mobile-nursing-service/.5 See https://news.microsoft.com/ko-kr/2017/03/29/hospital_azure/#sm.000e7dpubjj4fls11m1181cvfu697#eHUzAlbU4JZkWQde.97; and http://www.koreabiomed.com/news/articleView. html?idxno=388.6 See https://news.microsoft.com/ko-kr/2017/03/09/azure_medical/#sm.000e7dpubjj4fls11m1181cvfu697#qDmZrKkeMOmXIwjC.97; and http://www.docdocdoc.co.kr/news/articleView. html?idxno=1037799.
Fortunately, those concerns have now been addressed by regulatory changes, such as the recent changes which enabled healthcare institutions to store electronic medical records7 in the cloud.Whilst matters such as in-country storage of electronic medical records, data privacy and data security remain at the core of the healthcare regulatory environment in Korea and must be addressed as part of any technology adoption, there is now widespread acceptance that cloud services can comply with (and even enhance the level of compliance with) the necessary regulatory requirements in Korea.
At Microsoft, the positive outlook for the healthcare industry in Korea inspires us. Having partnered with healthcare institutions on many high-profile technology projects in Korea, we have cultivated knowledge and developed a pool of practical resources to help healthcare institutions navigate the landscape for cloud adoption.
This regulatory experience supplements our deep understanding of the business needs of healthcare institutions. In collaboration with McKinsey’s healthcare practice leads and subject matter experts, we have created the Digital Maturity Model to enable healthcare customers to focus on the components of a digital transformation that are most likely to have the greatest impact.
Our commitment to customers does not end there. Having partnered with organisations across all sectors in Korea for many years, we have witnessed the transformational power of technology in the country. It was as a result of our long-standing engagement with organisations across Korea, listening carefully to their objectives for digital transformation, that we announced the launch in 2017 of data centers in Seoul and Busan, enabling our customers in Korea to achieve even higher performance and supporting their regulatory requirements and preferences regarding data location.
This paper is a further contribution to the digital transformation of Korea’s healthcare industry. Designed as a practical roadmap, it will help Korea’s healthcare institutions take full advantage of the transformational benefits of cloud technologies based on a full understanding of the regulatory framework. We also share examples of how cloud technologies are already transforming the way healthcare services are provided in Korea.
We hope this paper is useful and look forward to continuing the conversation as we seek to realise our mission of helping Korea’s healthcare institutions in their journey towards a digital future. We are committed to ensuring that the healthcare institutions in the country will benefit from this new wave of innovation. Delivering a cloud that is trusted, responsible and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.
2
7 “Electronic medical records” are defined under Korean law as records generated by licensed doctors and nurses while treating a patient, including the patient’s medical record, prescriptions and diagnosis. It does not however, include other health-related data created or collected by other parties.
OVERVIEW
The four pillars of a successful cloud adoption
3
The following pages describe these pillars in greater detail.
Based on Microsoft’s experience of working with healthcare institutions in Korea and around the world, a successful cloud adoption rests on four pillars, as shown below.
Importantly, Microsoft recognises that each of these pillars is inter-related and inter-dependent. For example, assurances made by a cloud services provider in response to selection criteria will need to translate into binding commitments set out in a robust contract.
By focusing on these four pillars, healthcare institutions in Korea can move to the cloud in a way that addresses the key regulatory and compliance considerations.
Understanding the regulatory
landscape
Full, informed stakeholder involvement
Partnering with the right cloud
services providerA robust contract
4
SummaryA successful cloud adoption begins by understanding the regulatory landscape for the adoption of technology by healthcare institutions. We set out below further details of the regulatory environment and the process for cloud adoption in Korea, with the goal of making the entire process more streamlined for healthcare institutions.
The regulatory landscape
PILLAR 1
Understanding the regulatory landscape
Are cloud services permitted?
Yes.
Who are the relevant regulators and authorities?
The Ministry of Health and Welfare (MOHW)
What regulations and guidance are relevant?
• The Act on the Development of Cloud Computing and Protection of Users (Cloud Promotion Act)
• The Personal Information Protection Act (PIPA)
• The Act on the Promotion of Information and Communication Network Utilization and Information Protection (Network Act)
• The Medical Services Act (MSA) and the Enforcement Regulations under the MSA
• Standard on Equipment and System Requirements for the Maintenance and Preservation of Medical Records (MOHW Notice)
• Data Protection Standard for Cloud Computing Services (CCPA Guidelines)
Are transfers of data outside of Korea permitted?
Yes, for categories of data other than electronic medical records. No, for electronic medical records. The MOHW Notice permits electronic medical records to be stored outside of the facilities of healthcare institutions but the electronic medical records must still be stored within Korea. With the launch of our data centers in Seoul and Busan, Microsoft helps its customers meet the necessary requirements by committing to store categories of data at rest in the Korea geography.
5
8 Public healthcare institutions should also take into consideration the CCPA Guidelines, a set of non-binding recommendations for public institutions across all sectors which include various guidelines regarding data security.
How Microsoft helpsClose cooperation with regulators and healthcare institutions in relation to a number of successful technology projects in Korea has given Microsoft an in-depth understanding of the regulatory framework. Issuing this paper is part of Microsoft’s commitment to its healthcare industry customers to help them navigate and comply with the regulatory framework as it applies to cloud services.
In addition to this paper, Microsoft has developed a checklist mapping its compliance against each of the underlying regulatory requirements. For example, if a healthcare institution wishes to understand how Microsoft cloud services comply with the MOHW Notice requirement for uninterrupted system backup, they can easily verify this by accessing relevant product and service information. This checklist is available from your Microsoft contact upon request.
To further streamline cloud adoption, Microsoft’s team will be on-hand throughout the process to help you with any questions you may have along the way. You can also access the Microsoft Trust Center at microsoft.com/trust, which includes detailed security, privacy, and compliance information for all Microsoft cloud services.
Is regulatory approval required?
No.
Are public cloud services secure?
Yes. When undertaking due diligence, many of our customers have found that Microsoft’s public cloud services offer an increased level of operational security, risk management and compliance relative to a private or on-premises solution, for both sensitive information such as electronic medical records, and non-sensitive information.
Can public cloud services meet the necessary data separation requirements8?
Yes. The MOHW Notice requires the physical separation of backup equipment for the storage of electronic medical records. It is possible to use public cloud services in compliance with this requirement where the cloud services provider has more than one data center, to separate the system and equipment dedicated to backup storage from other operational systems. Microsoft’s two data centers in Korea – one in Seoul and one in Busan – allow healthcare institutions using Microsoft’s cloud services to meet these requirements.
10
CASE STUDY 1
LG CNS Korean IT services provider LG CNS is an experienced provider of healthcare solutions related to medical information in Korea. They traditionally develop solutions based on-premises IT infrastructure, instead of on the public cloud due, to the nature of Korean hospital environments and regulations.
In 2010, LG CNS identified an opportunity in the United States for selling medical information solutions to small nursing homes and assisted-care facilities. It was then forecasted that the aging of the large US baby boom generation would increase demand for healthcare services at the 17,000 nursing homes and 38,000 assisted-living facilities across the country.
However, when investigating the US market through a pilot program in 2012, LG CNS learned that the small local nursing homes and assisted living facilities lacked computer centers, technical staff and budget, thus would not be able to install, maintain and operate traditional on-premises IT infrastructure themselves.
LG CNS decided that the utilisation of a public cloud that met local requirements and regulations in the United States was more advantageous than building local data centres. It would also minimise IT burdens for customers, because LG CNS would be responsible for maintaining and controlling the cloud infrastructure for its individual customers.
LG CNS chose Microsoft Azure to host the infrastructure for LG CNS’s solution. The Azure platform
6
“When healthcare facilities choose a Microsoft Azure–based information solution, they can make investment not at once, but over as long as two to three years. This helps them increase ROI while decreasing TCO from the standpoint of system maintenance.” Hwang Yongdon HeadLG CNS Medical Information Department
7
complies with the US Health Insurance Portability and Accountability Act (HIPAA) standards for security and privacy of health data. LG CNS could accordingly offer their US customers cloud storage solutions without having to work through compliance issues.
The ease of application development on Azure, and Azure’s ability to support multiple platforms enabled LG CNS to easily offer its Electronic Health Records (EHR) and Smart POCS (Point of Care Solutions) products in the United States. Furthermore, Azure’s strong support for mobile applications enabled LG CNS’s POCS products to be developed and deployed using mobile devices.
The ability to efficiently implement existing Microsoft Office cloud-based communication products with Azure, without needing any integration with other computer systems, also allowed LG CNS to smoothly introduce their telemedicine solutions. This made it possible for their customers to provide medical treatment and nursing remotely.
By choosing Azure as its cloud computing platform, LG CNS has been able to quickly expand its business into the US healthcare market, easily develop and maintain its solutions, and deliver its services to customers at an affordable price. The company started offering its US solutions in June 2013 and is now poised to expand to other markets.
Build the core stakeholder team and develop the business case
A multi-disciplinary team should be put in place from day one.
The institution’s technology and procurement teams should take the lead in developing the business case, with a focus on the operational, commercial and patient care factors driving the decision to adopt cloud services.
The institution’s legal, risk and compliance teams should be involved in these discussions from the outset, to map the proposed solutions against legal and regulatory requirements and to build in the necessary timeframes to engage with regulators. Many technology projects have been delayed by involving the legal, risk and compliance functions too late in the process.
The institution’s board and senior management will typically require early reassurance in general terms regarding the business need for the use of cloud services and the oversight, review, reporting and response arrangements to be put in place with the cloud services provider.
Understand the technical solutions available
Any healthcare institution’s technology procurement project requires that all of its key decision-makers have a full understanding of the technology solution to be deployed.
This begins by ensuring that every member of the core team has a clear understanding of the proposed cloud service and deployment models. A range of options exists, including public, private, hybrid and community cloud, but given the operational and commercial benefits to customers, public cloud is increasingly seen as the standard deployment model for most institutions.
You can access more information about the service and deployment models on offer through the Microsoft Trust Center at microsoft.com/trust.
8
PILLAR 2
Full, informed stakeholder involvementSummaryMicrosoft’s experience is that a smooth cloud adoption depends on full, informed stakeholder involvement from the outset, with decisions being based on a complete understanding of the proposed cloud solution. Although this is not a specific regulatory requirement, putting the right team in place and understanding all aspects of the proposed technology are essential for the healthcare institution to satisfy itself that the cloud adoption meets the necessary requirements. Microsoft believes that it is the responsibility of the cloud services provider to make available detailed product and service information to ensure that the key decision-makers have all of the materials they need to make an informed choice.
Recommendations
9
How Microsoft helpsA digital transformation is a journey. Like all journeys, we must know where we are starting from, and we must have a destination in mind.
Microsoft’s expert team is on hand to support you throughout your cloud project, right from the earliest stages of initial stakeholder engagement through to the rollout of the solution. Our cloud product range spans all cloud service and deployment models and, with the launch of our Korea-based data centers and transparent approach to data location, we provide cloud customers with the flexibility to decide how and where their data will be stored and processed. We have developed a range of materials, including product fact sheets and online trust centers, designed to ensure that you have access to all the information needed to make an informed decision. Our subject-matter experts are available to meet with you and your core stakeholders to provide specific and detailed information on the technical, contractual and practical aspects of your proposed cloud project.
For healthcare institutions seeking end-to-end advice and support in relation to transformative digital projects, we have developed the Digital Maturity Model (DMM). Developed in association with healthcare practice leads and subject matter experts from McKinsey, as well as Microsoft’s own subject matter experts, the DMM is designed to help our customers focus on the components of a digital transformation that are most likely to have the greatest impact.
The DMM allows for the evaluation of where customers are in their digital transformation journey by examining their efforts across four key pillars:
Engage your patients: patient-centric delivery to get patients healthy and help them stay healthy;
Empower your care teams: applying digital capabilities to improve care team productivity;
Optimise your clinical and operational effectiveness: using digitised processes to drive
Consider data categorisation
As outlined under Pillar 1, there are no blanket regulatory barriers to storing any categories of data in the cloud. However, data categorisation is still a sensible step for healthcare institutions to take because it can help institutions to determine how their cloud services should be configured. For example, the MOHW Notice requires one category of data, namely electronic medical records, to be stored within Korea. By categorizing data, healthcare institutions can determine which datasets are subject to this data residency requirement. They can then configure their cloud services accordingly, by ensuring that these electronic medical records are stored in Korea-based data centres. Microsoft’s two data centres in Korea allow our cloud customers the freedom to choose where in the cloud their data resides, and the ability to remain compliant with data residency requirements such as those under the MOHW Notice.
Obtain detailed product and service information
Having understood the technical solutions at a high-level, the healthcare institution should also obtain detailed product and service information from the cloud services provider. It is important to have a detailed understanding of the cloud solution to ensure that it meets the relevant regulatory requirements. We expand on this in the next pillar, “Partnering with the right cloud services provider”.
10
More information about the Digital Maturity Model is available from your Microsoft contact upon request.
better diagnoses and treatment; and
Transform the care continuum: redefining care delivery through platforms that provide insight.
Two further layers of detail turn the DMM into a key tool in shaping each customer’s digital transformation, guided by the customer’s own priorities:
A set of capabilities for each pillar and a maturity scale of 1 (Laggard) to 4 (Best Practice) for each capability; and
The approaches to deliver each capability.
1715
CASE STUDY 2
Children’s Mercy HospitalAutumn Parkinson’s son, Job, was born with Hypoplastic Left Heart Syndrome (HLHS), a serious and rare congenital disease. Four months after he was born, and after surgery and an eight-week stay at Seattle Children’s Hospital, Autumn and her husband found themselves back home in a rural area of Tacoma, Washington, with a medically fragile infant who needed constant monitoring until his next surgery in six months. Autumn knew from HLHS support groups online that most parents had to take painstaking records daily in a three-ring binder and phone them in to their doctors to watch for complications, and even then, as many as 25 percent of the babies would die before their second surgery.
Thanks to the Cardiac High Acuity Monitoring Program (CHAMP), an app conceived by Dr. Girish Shirali, a pediatric cardiologist at Children’s Mercy hospital in Kansas City, Autumn has been able to relax into the routine with the comfort of knowing her baby’s cardiologist and nurse are looking over her shoulder every day, via the cloud.
CHAMP consists of a Microsoft Surface 3 tablet with the Windows 10 operating system, connected to a database that sits in the Microsoft cloud. The family enters the baby’s information in the app throughout each day, and the figures are instantly analyzed in the cloud. If there are any measurements outside healthy cardiac parameters, such as oxygen saturation that’s too low or high, the baby’s medical team is automatically alerted. There’s also an “I’m concerned” box parents can click that will immediately page the nurse.
Before CHAMP was introduced, parents would need to check various vital signs at home, such as heart rate, weight and oxygen saturation, that are important indicators of cardiac health, and then it was up to them to provide that information to the hospital each week over the phone. Otherwise nurses would try to track down the parents to find out if they were concerned about anything.
With CHAMP, nurses can see every piece of data within two minutes as it goes from the tablet to the cloud. Even when there are no alerts, they can look through reports daily. This enables them to be proactive and intervene before a situation develops into an emergency event.
Since its adoption by Children’s Mercy Hospital in 2014, no baby with HLHS has died. CHAMP has thus already saved babies and made life easier for their worried parents. Beyond saving lives, it also reduces costs, as babies with HLHS are the most expensive patients in cardiac clinics.
Today, with four years of learnings under their belt, CHAMP is looking to expand across the country and is being contemplated for other diseases as well.
11
“If we follow 30 kids a year, that’s a whole kindergarten class that was saved, and that’s crazy. We didn’t know what we didn’t know before and didn’t realize that we were missing trends due to only getting numbers once a week.”Lori EricksonNurse Practitioner and Clinical CoordinatorCHAMP Program
Confidentiality and Security Standards
Given the sensitive nature of information that is held by healthcare institutions, it goes without saying that the chosen cloud solution needs to be secure. The due diligence process should focus on ensuring that the cloud services provider has measures in place to ensure compliance with the required confidentiality and security standards in Korea. These include:
Requirements under PIPA and the Network Act to put measures in place to protect personal information;
Requirements under the MOHW Notice to notify the relevant healthcare institution if data becomes damaged or is leaked; and
Professional duties imposed on healthcare practitioners to keep information confidential, depending on the nature of their work.
Compliance with international security standards such as ISO/IEC 27001 and ISO/IEC 27018 has become an industry standard tool, in Korea and around the world, for cloud customers to verify that their cloud services provider meets the necessary confidentiality and security requirements.
Supervision The healthcare institution will want to ensure that the cloud services provider has in place appropriate measures to enable the institution to assess its compliance on an ongoing basis. Although there are no specific requirements for assessment in Korea, at a practical level institutions will want to partner with cloud services providers who are subject to independent third-party assessments (for example, as part of international accreditations). Institutions will also want to ensure that the provider shares the outcome of these assessments with its customers. Through this independent assessment process, institutions can have confidence that the cloud services provider is continuing to meet the expected compliance standards.
1612
SummaryAlthough there is no mandatory due diligence process, healthcare institutions should carry out appropriate due diligence to ensure that the cloud services provider can meet the applicable operational, security, risk management and compliance requirements. To ensure that they are getting a compliant solution, the healthcare institution should develop a set of due diligence and selection criteria mapped against the key regulatory requirements.
Recommendations Whilst a summary of all applicable compliance obligations is outside the scope of this paper, the table below summarises what we believe are the key cloud services provider selection criteria, based on the underlying regulations and guidance and our conversations with customers. Healthcare institutions may wish to refer to these criteria as part of their cloud procurement.
PILLAR 3
Partnering with the right cloud services provider
13
Data Location and Transparency
As outlined in Pillar 1, above, there are no blanket prohibitions on the storage of data outside of Korea. There are, however, requirements to store electronic medical records within Korea under the MOHW Notice. Accordingly, depending on the specific use case for cloud services, the healthcare institution may choose to store certain categories of data within Korea. These healthcare institutions will want to check whether the cloud services provider is transparent as to its approach to data location and whether it can configure the service to ensure that certain categories of data are stored within the Korea geography.
Limits on Data Use
Cloud services providers should not use the healthcare institution’s data for any purpose other than that which is necessary to provide the cloud service. The cloud services provider should therefore commit not to use it for any secondary purpose, such as advertising. This is both good business practice and a specific requirement of Korea’s regulations.
Data Segregation and Backup9
As outlined in Pillar 1, there are no blanket requirements concerning the segregation of data in Korea, which means that healthcare institutions have the flexibility to choose from all cloud deployment models, including public cloud. Nonetheless, healthcare institutions will want to ensure that whichever cloud deployment model is used, the cloud services provider has in place appropriate measures to ensure that the confidentiality and security of data is not compromised. By way of example, to meet the requirements of the MOHW Notice concerning the physical separation of backup equipment for electronic medical records, healthcare institutions will want to verify that the cloud services provider has more than one data center within Korea to separate the system and equipment dedicated to backup storage from other operational systems.
Resilience and Business Continuity
The resilience of healthcare institutions’ systems is of utmost importance given the nature of their operations. Whilst not a specific requirement for using cloud services, a healthcare institution will, as a matter of operational good practice, want to work with a cloud services provider that offers a high degree of availability and resilience, provides the institution with access to and control of data and regularly tests its own business continuity and disaster recovery plans. Moreover, to deal with requirements under the MOHW Notice to provide monitoring of network systems, institutions will want to check whether the provider offers real-time information on service performance. These measures help to ensure that the use of third-party services does not threaten the continuity of the healthcare institution’s operations.
Cloud Services Provider Reputation and Competence
Healthcare institutions will want to carefully consider the cloud services provider’s track record in the healthcare industry, not just in Korea but also around the world. This is not a specific regulatory requirement but is important for providing valuable insight into the cloud services provider’s capabilities, track record and global standing.
How Microsoft helpsMicrosoft understands that, wherever you are on your journey to the cloud, it is vital to work with a service provider that you can trust. Not all clouds are created equal — it is crucial to check the facts and know what you are getting.
Microsoft confirms its ability to meet all of the criteria specified above. Our understanding of the healthcare industry, based on experience of working closely with healthcare institutions and industry stakeholders over a number of years, is market-leading. Microsoft has over 40 years of IT experience, including decades as a cloud services provider running some of the largest online services in the world, and a proven track-record of successful rollouts for healthcare institutions in Korea and globally. We are proud of leading the way when it comes to offering cloud services that can help healthcare institutions maintain compliance with applicable laws, regulations, and key international standards.
We build our cloud services based on the core principle of trust. We are committed to ensuring that your data stays secure, that it stays private and under your control, and that if you use the Microsoft cloud, you stay compliant, even as regulations and standards evolve. We are also committed to being transparent about our security, privacy, and compliance practices. We make sure you know how your data is stored, accessed, and secured, and that you can independently verify this.
We are also committed to reliability and choice. That is, our software and services are robust to ensure you can access your data and services when you need to, and we give you the final say in decisions that impact compliance.
Microsoft invests heavily in compliance to meet multiple regulatory standards. We design and build services using a common set of controls, making it easier to achieve compliance across a range of regulations, even as they evolve. Our approach to security compliance includes test and audit phases,
14
Conditions on Subcontracting
While there are no specific requirements on subcontracting imposed by the regulations in Korea, there is little value in finding the right cloud services provider if that cloud services provider will simply subcontract all of its obligations to a third party that may not meet the necessary requirements. Healthcare institutions will therefore want to:
Obtain a list of subcontractors used by the cloud services provider (for example, a list of Microsoft’s subcontractors can be found at aka.ms/Online_Serv_Subcontractor_List);
Ensure that the cloud services provider takes primary responsibility for compliance from a contractual perspective; and
Ensure that the cloud services provider only uses subcontractors that are subject to controls that are equivalent to those applied by the cloud services provider itself.
Conditions on Termination
While healthcare institutions will often look at cloud services as a long term solution, they should be prepared for a scenario where the cloud services are terminated. The Cloud Promotion Act addresses this issue specifically by requiring that the cloud services provider commits to return and delete data when the cloud services terminate.
security analytics, risk management best practices, and security benchmark analysis. We’ve been able to maintain and expand a rich set of third-party certifications and attestations that you can point to in order to demonstrate compliance readiness to your customers, auditors, and regulators. These include ISO/IEC 27001, ISO/IEC 27018, SOC 1 and SOC 2. As part of our commitment to transparency, we share third-party verification results with our customers.
You can access more detailed information about the robust confidentiality and security at the core of each Microsoft cloud service in the Microsoft Trust Center at microsoft.com/ko-kr/trustcenter/default.aspx.
15
Payer ProviderPublic Health &Social Services
Life Sciences & Pharmaceuticals
ISO 27001/ ISO 27018
EU Model ClauseHIPAA BAAFedRAMP
ISO 27001/ ISO 27018
EU Model ClauseHIPAA BAA
ISO 27001/ ISO 27018
EU Model ClauseHIPAA BAAFedRAMP
ISO 27001/ ISO 27018
EU Model ClauseHIPAA BAA
Australia Gov IRAP/ISMSingapore MTCS
UK G-CloudArticle 29 WP
Japan CS Gold Mark
Global
141715
CASE STUDY 3
Fullerton Healthcare GroupFullerton Healthcare Group (FHG) is a provider of integrated enterprise healthcare services. Headquartered in Singapore, they own over 200 medical facilities in Singapore, Indonesia, Malaysia, Hong Kong, China and Australia, and work with over 25,000 companies to provide quality healthcare solutions to approximately eight million people in the region.
Having identified a need to provide quality healthcare that is accessible, FHG began looking for innovative solutions to advance their delivery of healthcare services and to improve overall patient experience. The group also recently expanded geographically, and needed an enterprise IT solution that could reduce complexity and enable staff across the region to communicate and work more efficiently and effectively.
Following detailed technical reviews and comparisons, FHG decided to deploy the Microsoft Office 365 cloud-based productivity suite to integrate healthcare delivery across their medical network and improve patient experience while maintaining the highest standards for security and privacy. Migrating to Office 365 enabled FHG to integrate their back-end IT operations and further improve their front-end service delivery, through the use of enterprise-grade productivity solutions, unlimited cloud storage, and built-in platforms for enterprise social and intranet collaboration. Front-end patient experience was also improved through the provision of virtual healthcare, allowing healthcare providers to communicate with patients via instant messaging, audio and video calls, and online meetings and sharing to facilitate the provision of healthcare in a secure and efficient manner.
Through operational analytics and machine learning capabilities provided by the Microsoft cloud, FHG was further able to develop a chronic disease management program, allowing them to manage patients with chronic heart disease and diabetes more effectively, resulting in fewer trips to the hospital and less missed days of work. This program has been so successful that the number of chronic disease patients FHG sees has decreased by 60%.
With the deployment of Office 365, FHG’s healthcare professionals are better able to develop the best course of action for each patient as informed by real-time medical informatics, resulting in a higher quality of care and lower healthcare costs.
16
“By leveraging the world’s most secure and advanced technology, we are able to extend our best-in-class healthcare services throughout Asia and deliver on our mission to transform healthcare standards in the region, making quality healthcare accessible and affordable to all.”
Ted MinkinowChief Information OfficerFullerton Healthcare Group
17
SummaryHealthcare institutions will want to verify that assurances made by the cloud services provider in response to selection criteria are backed up by appropriate contractual commitments. The cloud contract should include appropriate terms so that the healthcare institution can satisfy itself of compliance with the underlying regulations.
RecommendationsThe following terms are those that Microsoft believes to be important, based on the underlying regulations and our discussions with customers in Korea. Healthcare institutions will want to put in place a binding cloud contract that, as a minimum, includes these key terms. In practice, the cloud services provider should help by demonstrating how its cloud contract meets these requirements.
PILLAR 4
A robust contract
Privacy and Data Protection
The contract will need to contain appropriate requirements to enable the healthcare institution to meet its own primary obligations (e.g., ensure that all personal information is dealt with in accordance with applicable privacy and data protection laws).
Security and Data Breach Protocols
The contract should contain appropriate commitments from the cloud services provider to ensure that information and data are kept secure. The cloud contract should also address what happens in the event of a data breach incident – including any applicable notification, investigation and mitigation protocols.
Availability As a matter of good operational practice and to ensure matters such as business continuity and resilience are addressed, healthcare institutions will want to ensure that the cloud services provider makes binding commitments as to service availability, with specified remedies in the event of an unscheduled service disruption.
Business Continuity
Again, in the interests of ensuring business continuity and resilience matters are addressed, the contract should provide for a disaster recovery/business continuity plan together with appropriate testing processes.
Confidentiality In order to comply with patient confidentiality obligations, healthcare institutions will want to ensure that the cloud services provider makes binding commitments regarding the confidentiality of information stored in the cloud service.
Termination and Exit
Healthcare institutions will want the cloud services provider to commit that information will be securely returned to the institutions or deleted, as described in Pillar 3, above.
18
How Microsoft helpsThe contractual terms for Microsoft’s cloud services have been developed based on feedback from thousands of cloud customers across the most heavily-regulated industries around the world, including customers in the healthcare industry. Microsoft’s expert team will be available throughout the contractual review process to answer any questions you have about how Microsoft’s contractual terms for its cloud services provide confidence to cloud customers that they are complying with the applicable regulatory requirements and guidelines.
Conditions on Subcontracting
While subcontracting is permitted, healthcare institutions will want to ensure that the cloud services provider takes responsibility for compliance and ensures that any subcontractors are subject to controls that are equivalent to those applied by the cloud services provider itself.
Remedies Healthcare institutions will want to ensure that the contract is clear as to the remedies to which they are entitled if the cloud services provider breaches its contractual commitments. In practice, remedies typically include service credits and/or termination rights, depending on the nature and circumstances of the breach.
19
Putting it into practiceScenario: Using Azure to unlock data insights that help improve population healthData-driven diagnostics have the potential to improve patient care, reduce costs, optimize treatments and clinical pathways, and facilitate broad-scale research.The ability to analyse massive amounts of data is vital to the future of healthcare. However, keeping pace with and generating value from increasing volumes of data requires ever-faster computing resources and rapidly increasing storage. These are core cloud capabilities, making cloud services the logical option for healthcare analytics.
Cloud-based analytics bring significant benefits to the healthcare industry. They provide the real-time insights you need to monitor and stratify patients according to risk; deliver more reliable, data-driven diagnostics; identify cost inefficiencies and bottlenecks in care pathways; and detect adverse events or other unexpected substandard patient outcomes. Analytics can also help you delve into the data to manage staff productivity or resource deployment. You can also repurpose data for research into optimisation, or even discovery, of new treatments.
Regulatory considerationsThe regulatory obligations for the use of aggregated and de-identified medical data are no different in a cloud-hosted model than in a traditional on-premises model. Where information or data does not relate to a particular individual and cannot be used (whether on its own or with other information held by the institution) to identify a particular individual (“de-identified information”), it is not personal information and there are no regulatory restrictions on the use of such information. Under Korean law, if personal, health or other sensitive information is de-identified information, the privacy regulations will not apply. Please refer to the section above titled “Pillar 1: Understanding the Regulatory Landscape” for the most relevant applicable regulations.
Microsoft can provide data analytics services as an optional value-add to our cloud services. These use aggregated and de-identified medical data to help your practice or organisation with process improvements, health research and discovery, as well as other applications to drive beneficial health outcomes.
Microsoft is committed to using medical data only for the purposes expressly authorised by the practitioner. Microsoft will not undertake aggregated data analytics unless we have your express permission, on an opt-in basis.
If your organisation chooses to participate in the data analytics services, Microsoft makes binding contractual commitments to your organisation regarding the use of your customer data. For almost all of our cloud services, our commitment is to use your customer data only for the purpose of providing the service and compatible purposes, such as troubleshooting or malware prevention. However, for a limited set of Azure Cognitive Services, Microsoft has broader rights to use, retain, reproduce and create aggregated, anonymised data to improve the services themselves, as well as to provide the Cognitive Services. If your organisation chooses to participate, and where the content of data you send to the Cognitive Services includes personal data, you are required to obtain each data subject’s consent or to disclose the detail of your outsourcing arrangement with Microsoft to Microsoft processing the data as set out in the Online Services Terms.
20
Steps you should takeYour organisation will need to consider whether use of data analytics services is consistent with use limitations that attach to your dataset.
These use limitations will vary depending on:
• Whether the dataset contains medical information, personal information that is not sensitive information, or solely de-identified data; and
• To the extent your data include personal data, whether any required consents from patients have been obtained, or whether any disclosure of the outsourcing arrangement has been made, as required by Korean regulations.
21
Healthcare institutions in Korea have an unprecedented opportunity to take advantage of the full spectrum of cloud-driven technologies. Driven by a supportive regulatory framework under MOHW’s leadership, world-class technical infrastructure and a growing range of compliant solutions to choose from, healthcare institutions are beginning to reap the benefits of cloud computing, both in the domestic healthcare industry and around the world, as Korean healthcare develops a global reputation for excellence.
Whether it is operational data analytics to streamline operations and reduce costs; virtual health and telemedicine to better connect patients and care teams; clinical analytics to enable more informed choices at the point of decision; or taking raw data from sequencing machines to produce reports on identified genomic variants, just to name a few recent use cases, the range of opportunities is broad and growing all the time.
At Microsoft, we believe that cloud technologies will play a crucial role in the future of healthcare in Korea, and the expansion of Korea’s vibrant health technology sector locally, regionally and globally. We look forward to continuing our role at the forefront of this digital transformation, deploying trusted, responsible and inclusive cloud solutions for the benefit of our healthcare institution customers in Korea and their patients.
An unprecedented opportunity to transform Korea’s healthcare institutions
21
Further informationA Cloud for Global Good | Microsoft: news.microsoft.com/cloudforgood
Microsoft in Health: microsoft.com/health
Digital Transformation in Health: healthdigitaltransformation.com
Trust Center (Korea): microsoft.com/ko-kr/trustcenter/default.aspx
Service Trust Portal: aka.ms/trustportal
Online Services Terms: microsoft.com/contracts
Service Level Agreements: microsoft.com/contracts
SAFE Handbook: aka.ms/safehandbook
© Microsoft Corporation 2017. This paper is not intended to be a comprehensive analysis of all regulations and their requirements, nor is it legal advice; rather it is intended to be a summary and to provide guidance to healthcare institutions in Korea on the types of issues they should consider.
The information in this handbook is accurate as of April 2017.
