Cloud Computing Healthcare

7/31/2019 Cloud Computing Healthcare

1/18

NATIONAL SECURIT Y ENERGY & ENVIRONMEN T HEALTH CY BERSECURIT Y

Healthcare OrganizationsCloud Computing in

W H I T E P A P E R

A perspective from Science Applications International

Corporation (SAIC)

SAIC. All rights reserved.


2/18

2 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS

Table of Contents

Cloud Computing for Healthcare 3

Benets of Cloud Computing 6

Potential Cloud Computing Risks 8

Security in the Cloud 9

Strategic Decisions Before Cloud Adoption 11

Engineering, Implementation, and Cloud Management Services 12

SAIC: Walking the Talk 14

Getting Help with the Cloud 15

Looking Ahead 17


3/18


With unprecedented pressures on healthcare organization

(HCO) leaders to deliver more with less, many are looking

for technology solutions to help realize goals for improved

service quality and efciency. Technology experts at

Science Applications International Corporation (SAIC)

understand implementing complex health information

technology (HIT) systems can be challenging enough; butmanaging on-going operations with IT departments that

are chronically underfunded and understaffed has a lot of

CIOs looking to the cloud for answers to an equation thats

tough to balance.

What is Cloud Computing?

Cloud computing is the delivery of IT infrastucture assets

such as server capacity and software applications over

the Internet on a utility basis. Cloud computing offers

convenient, rapid and timely access to a shared pool

of computing resources. Such resources can be strictlyinfrastructure components (i.e., networks, servers,

storage, etc.) or can include software to facilitate ready

access to applications and services.

Cloud computing resources offer attractive exibility;

as usage demand ebbs and ows, the amount of

horsepower being consumed can be adjusted to meet

changing computing needs. But cloud computing is not

just a new name for resource virtualization. Features

such as self-service provisioning of resources, and

advanced use-metering distinguish cloud computing asa new and transformational technology that promises to

make the cloud a utility-like resource.

As with all transformational models, the business value

to be gained through cloud computing is proportional

to the thought invested up front. Organizations that are

truly serious about moving their assets and processes

to the cloud should rst consider some important

strategic questions about their business processes and

computing needs before selecting a technical solution.

The strategy questions may seem vexing since they require

engagement from the leadership ranks of the organization.But close attention to strategic planning will empower

organizations to invest in solutions that will help them

address their current computing needs, while providing a

sustainable path to the future.

The Preferred Computing Solution for Healthcare

In cloud computing, the focus is on the selection of

one of three service models - Software as a Service

(SaaS), Platform as a Service (PaaS), or Infrastructure

as a Service (IaaS) described in the table on page 4.

With an understanding of an HCOs goals, needs, andconstraints, a cloud solution can be engineered to deliver

specic, externally hosted applications, a complete

computing platform for local applications to use, or simply

rapid access to exible and scalable computing. Cloud

computing could be the centerpiece of the healthcare

CIOs strategic IT planning.

End users (such as a person, a department, a clinic, or

an IT organization) can order services through a self-

service catalog located on the Internet or private network.

Service options should be chosen to maximize businessvalue to the organization based on the strategic decisions

mentioned above. The catalog should clearly dene

service levels and associated pricing, and services should

be obtainable by submitting a service request. Once the

service request transaction is complete, the service is

Cloud Computing for Healthcare


4/18


5/18


Cloud Types Characteristics

Community A community cloud offers benets of both the private and public clouds. Essentially, community

clouds are public clouds whose tenants are limited to a dened group or class of customers. This could

include a cloud for hospital consortia such as an integrated delivery network ( IDN) or an accountable

care organization (ACO). These offerings are optimized for the customer community, and for regulated

industries, such as healthcare, so that they comply with all applicable regulations. For example, a

healthcare community cloud would be engineered to comply with Health Insurance Portability and

Accountability Act (HIPAA) security and privacy requirements.

Hybrid Integrating elements from the previous three types, hybrid cloud is custom-engineered, frequently for a

particular customer. Many customers, like hospitals and physician organizations that may be closing data

centers, desire to integrate existing assets with an externally-hosted cloud solution.


6/18


Cloud computing offers both tangible and intangible

benets to healthcare organizations. Through selfservice

ordering, reduced capital investment, and an abundance

of performance metrics, healthcare CIOs can both

improve the quality of service and reduce their costs. A

move to the cloud also offers intangible benets to long-

suffering CIO ofces struggling with more mandates than

available resources.

Benets of Cloud Computing

Process Immediate self-service through a Web-based service catalog triggering a service request and subsequentautomated work ow

Improved scalability to meet mission/business demand and surges

Improved mission/business agility through rapid provisioning

Investment Buy only as much as you need when you need it, using a metered subscription (pay-as-you-go) model

Reduced or no up-front capital investment for new information services

Reduced management and maintenance for existing information services

Value Measurable services

Proactive service continuity in the event of an outage or disaster

Improved accessibility and portability through open and simplied architecture

Security custom tailored to the business need

Intangible Focus intellectual capital on core business activities

Transfer of service responsibility to an external party

Reinvest IT expertise and capital on improved service and emerging issues

Improve the reputation and inuence of the organization

Its important to note that setting ones sights on cloud

computing is not an all-or-nothing proposition. Process,

investment, value, and intangible benets can be partially

achieved by working toward cloud computing without a

complete adoption. A seasoned technology partner with

strong skills in solution development through integration of

new and existing assets is essential.


7/18


Cloud Computing Opportunities for Healthcare

The following is a list of use cases where cloud computing

can bring value to the HCO. SAIC is assisting organizations

with cloudifying many of these functions.

Mission-Driven

Hospital-based electronic health records (EHRs)

Community-based health information sharing

Integrated delivery networks (IDNs)

Ambulatory EHR and practice management

Personal Health Records (PHRs) Patient accounting, nancial and billing systems

Enterprise Resource Planning (ERP) systems

Clinical ancillary systems such as Laboratory

Information Management Systems (LIMS) and Electronic

Prescribing (E-prescribing)

Consumer communications and social media

Cyclical and seasonal mission requirements (e.g.,

orthopedic services related winter falls, u season spike

in demand)

Statistical and analytical functions requiring large-scale

scientic and technical computing (outcomes analysis,business intelligence)

Episodic requirements which can benet from rapid,

on-demand cloud provisioning (e.g., emergency

management, outbreak management, and

food poisoning)

e-Filing efforts comprising complex multi-directional

information submission, public collaboration, benets

transfer, and grants management

Broad and distributed quality, revenue, professional

association or network responsibilities requiring

information gathering, modeling, data mining,visualization, etc.

Cross-Cutting

Communications (email, messaging, and mobile) and

workow management

Information discovery, archiving, search and retrieval,

records management, and digital notary

Marketing, online training, and information

dissemination

Employee orientation, announcements, services,

training, and networking

Mobile application access and delivery

Backup and Recovery and Continuity of Operations(COOP)

Data gathering and situational awareness.


8/18


All computing solutions have inherent risks; and cloud

computing is no exception. An organization must ensure

that its risk exposure is reduced by adopting a cloud

strategy that identies and quanties risk, avoids it if

possible, and mitigates it if necessary.

The following table summarizes major risks, typical

exposure, and mitigation response for cloud computing:

Potential Cloud Computing Risks

Risks Mitigation/Avoidance Strategies

Security, including non-compliance with the

HIPAA Security Rule, and malicious intrusions

Security must be engineered into the design of the cloud and cloud monitoring and management

processes. Use of National Institute of Standards and Technology (NIST) standards, cloud

management tools for role-based access, and encrypt ion of data at rest and data in motion will

reduce vulnerability. Clear Service Level Agreements establishing responsibilities of the provider

and the user are essential to contr olling access, use, and management of sensitive data.

Privacy risks, including non-compliance with the

HIPAA Privacy Rule, breach exposures of private

information, and identity disclosures resulting

from data mining and advanced analytics

Policies and practices must be implemented that assure compliance with the HIPAA Privacy Rule.

Monitoring to identify and prevent potential intrusions. Measuring and reducing the probability of

identity disclosure. Ensuring that the proper contractual and legal protections are enacted.

Lack of transparency into cloud environment Use of cloud-compatible auditing and logging tools is critical for maintaining a window into the

cloud to monitor securit y, availability, capacity, and performance.

Lack of support for regulations and service levels;

possibility of cloud supplier bankruptcy

HCOs need to apply due diligence in the selection of cloud service providers. Contracts need to

clearly assign responsibilities for regulatory compliance, and delineate monitoring service levels

using cloud management tools.

Availability issues including outages, low

bandwidth, unproven cloud providers, and no

end-to-end monitoring

Lessons learned from high visibility cloud outages suggest that well-engineered systems suffer

scant downtime. Building redundancy and extensive use of monitoring, and metering right into a

cloud strategy w ill pay dividends over time.

Incompatibility of cloud with customer

architecture and service management processes

Most customers will have legacy infrastructure that must be integrated into a cloud strategy.

A good design will overcome potential incompatibility through use of a consistent technical

reference model, architectural standards, and best practices.

Compatibility of cloud with customer nance

model and charging mechanisms

Cloud hosting vendors can provide the information to both examine expenses and charge-back

to internal customers. When merged with a detailed distribution of legacy capital investment,

transition-operation labor, and maintenance costs can result into transparent cost pools for

charge-back.


9/18


Challenges

A May 2011 Computerworld survey showed that, for

security reasons, IT leaders within FORTUNE 1000

companies remained wary of public cloud adoption. HCOs,

however, increasingly recognize the business value and are

gravitating toward cloud solutions. This fact is underscored

by a 2010 survey, which reported that about 32 percent ofHCOs already use some form of cloud computing, and 73

percent reported that they plan to move more applications

to the cloud (FierceHealthIT; June 28, 2010). But most

HCOs, by a signicant margin, preferred the control and

certainty of a private cloud as a rst step toward cloud.

Notwithstanding those preferences, all cloud models have

potential vulnerabilities that must be mitigated.

Traditional computer security has many similarities to

historical military tactics in protecting a city. A perimeter

is established and fortied, a small number of gates are

guarded to allow trusted persons to pass through, and

guards both scan the horizon and keep tabs on potential

threats inside the walls. As technologies such as catapults

and cannons evolved, such traditional approaches still

had value, but were adjusted and augmented to keep

pace thus leading to todays network rewalls and

demilitarized zones (DMZs).

Cloud computing can complicate security planning

and execution by making it more difcult to discern an

organizations perimeter because the organizations

virtual resources are now located on the cloud hosting

providers premises. Thus, security and privacy policy

must be extended to cloud services providers as part

of contracting terms. By being able to dynamically

extend a departments computing infrastructure beyond

its perimeter, cloud computing offers cost-effective,

scalable, on-demand service. But it ushers in an age of

interdependence and inter-connectivity between customer

and provider that organizations may be unaccustomed to

experiencing.

Such a new reality requires the establishment of a trust

relationship in all phases of service delivery including

security. Many health entities will nd this newfound

delegation of direct control to a services provider to

be uncomfortable at best and possibly unacceptable

for some applications. Security ofcers, who often

feel personally responsible for the defensive posture

of the organization, may struggle with the inherent

limitations on their ability to inspect and test the

service providers security mechanisms. Again, clearly

articulated expectations and responsibilities should be

established in Service Level Agreements and in Business

Associate Agreements.

To further muddy the security waters, the infrastructure

needing security controls and protection can expand

and contract on the y. Sophisticated management

tools and exible vendor agreements will allow CIOs to

establish and manage multiple cloud infrastructures.

Applications and data may be dynamically moved among

private, community and public clouds as circumstances

warrant. This constant change offers a new dimension of

complexity in security planning and implementation.

The Good News

On the other hand, having valued clinical data centrally

managed by an entity whose success (and continued

viability) depends upon its ability to effectively manage

and protect the condentiality and integrity of those

data is far less risky than having the data distributed

Security in the Cloud


10/18


11/18


The key to successful cloud design and implementation

is to develop a comprehensive strategy that will

meet the organizations short and longer-term needs.

An experienced cloud consulting rm can guide an

organization through key questions such as:

What are the goals for implementation? Which of the process, quality targets, value measures

and intangible benets does the organization want to

achieve?

What is the long-term vision for the provision of

computing services?

What business needs are driving the initial target

implementation and what is the timeline?

Is there an internal charge-back mechanism that needs

to be supported?

Which security, privacy, and continuity considerations

will affect the design of your implementation?

What are the HIPAA, Gramm-Leach-Bliley, or other data

privacy-related factors that drive a cloud solution?

How mission-critical is the data and what level of

availability is desired?

Do existing infrastructure and vendor relationships

impact the design of a solution?

Is there an installed base of in-house technology that

could benet by being included in the solution?

Do the applications require a specied computing

platform, both hardware and software?

Is there another reason like the knowledge base ofthe in-house IT staff that suggests the inclusion of a

particular technology?

What level of cloud management does the organization

wish to directly undertake?

Who will be ordering and monitoring serviceend users

or the CIO staff on their behalf?

What skill mix does the CIO staff bring to the table or

are willing to develop?

Does the CIO wish to delegate workload and

responsibility to an external party?

The answers to these example questions, and the

discussion that will ensue, will form the basis for initial

solution development and the preparation of a long-term

roadmap for cloud computing.

Strategic Decisions Before Cloud Adoption


12/18


Once the strategic direction of the cloud computing

initiative has been established, an organization will be

ready to engage its technology partner to begin design

and implementation. The technology partner will develop

and present a solution and a project management plan.

If the technology partner sells cloud products as well, the

solution developed will most likely feature its own cloudmanagement product suite.

A solutions integrator, such as SAIC, on the other hand,

will focus more centrally on the clients needs and typically

remain vendor-neutral. The proposed solution will employ

the best possible technology for the organizations needs,

regardless of its origin.

Regardless of which type of technology partner an

organization chooses (product vendor or integrator),

the following is an example list of services that may be

acquired:

Private cloud implementation

Provisioning of public cloud compute and storage

resources (e.g., Amazon Web Services, Terremark) on

behalf of customers and internal users

Implementation and integration services for the four

types of clouds

Security assessment (certication and accreditation, if

required) of the cloud environment

Risk analysis and mitigation services

Security and privacy analyses Access controls (identity management, authorization

management and access auditing)

Penetration testing

Cloud infrastructure management and administration

Services management, information assurance, and

cloud control services

Cloud computing testing and acceptance

Enterprise and carrier-class cloud network security

services

Managing Multiple CloudsSAIC believes that most enterprises will end up with a

hybrid cloud model. Regardless of the risk-reward prole

they choose when starting with cloud implementation,

most organizations will eventually wish to link their

existing infrastructure to public or community cloud

resources. Beyond that, maturity in a cloud program

results in the desire for exibility to move workload among

available compute and storage resources to get the best

performance, to pursue the best pricing, and to avoid

provider downtime, among other advantages. This will

require the development or acquisition of a capabilityknown as cloud brokerage. With the right cloud broker

tools and know-how, an organization can maximize their

cloud investments, simplify the management of their

multi-cloud environment, and bring order to cloud chaos

through the implementation of governance principles.

Governance in the Cloud

Like more traditional computing environments, cloud

requires the denition of expectations, granting of

authority, and verication of performance. But the

unique features of cloud that both the internal service

provider and the end user may have a limited window

into the operations of the environment make the need

for automated, rule-based, decision-support all the

more critical.

Engineering, Implementation, and Cloud Management Services


13/18


When SAIC was contemplating its own corporate

commitment to cloud computing, we developed a list of

needed governance functions. This list includes:

User authentication

Role-based access control

Customizable access privileges

Encryption key management

Intrusion detection and alerting

Audit logging and reporting

Implementation of exible billing controls

In addition, these functions are required across a multi-

cloud environment. In designing the SAIC cloud solution,

our Cloud Project Management Ofce conducted research

and selected a vendor for cloud governance management.

The experience SAIC gained from installing, conguring,

and using our cloud governance tool suite allows us

to offer to our customers an unusually broad array of

cloud management services that draw from our own

extensive experience.


14/18


Moving SAICs data center to an enterprise private cloud

was a strategic decision with far-reaching benets to

the company and its customers. Most often cited by

company executives, practice[ing] what we preach is

a fundamental benet of this effort. SAIC migrated its

company-owned corporate data center from San Diego to

a commercial data center in the Dallas area. In so doing,SAIC deepened its expertise in cloud migration from

project management to full operations. This rst-hand

experience as a customer of cloud services helps us

understand and address your cloud concerns. For SAIC,

the answer was to move everything to a cloud computing

infrastructure and use carefully architected technologies

to deliver value to the business.

SAIC established an enterprise private cloud based on the

VCE Vblock technology. The Vblock is a pre-engineered

virtualization block that features integrated technologies

from partners Cisco, EMC and VMware. On a single

chassis, it combines compute (Cisco UCS family), network

(Cisco Nexus family), storage (EMC Symmetrix or Unied

Storage) and virtualization (VMware vSphere 4).

In October 2011, the SAIC Enterprise Cloud was up and

running. Today, we continue to discover new ways to

leverage our cloud architecture and capabilities.

SAIC: Walking the Talk


15/18


SAIC is a world-renowned information and technology

solutions provider to government and industry. Customerfeedback consistently shows that SAICs deep knowledge

of an organizations business and alignment with its goals

sets us apart from other systems integrators. For cloud

computing transformation, our commitment to close

analysis of enterprise assets and strategic planning in

ongoing collaboration with stakeholders provides the

knowledge and experience an organization needs to

successfully navigate to a cloud solution. For those ready

to maximize benet, minimize risk, and ensure security

through cloud computing, SAICs portfolio of services,

described on page 16, can chart your course toward asuccessful cloud implementation.

World-Class Cloud Management and Support

Once you are up and running on your new cloud

environment, SAIC offers world-class cloud management

and IT support services through our award-winning

Integrated Services Management Center (ISMC). The

ISMC provides a cost-effective solution for monitoring

your cloud environment(s) and making sure that they meet

service level objectives and evolve as your organizations

requirements change. The ISMC provides expertpersonnel, automated processes and proven technologies

that can lower the cost and raise the quality of IT services

such as help desk support and data, application and

infrastructure management.

Getting Help with the Cloud


16/18


Managed CloudCybersecurity Services

ITIL-Compliant CloudAdministrationand Governance Services

SAIC Cloud ComputingServices Portfolio

Softwareas aService(SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

User AdminPortal/Catalog

Service Desk Support

UsersAsse ssments cloudcomputing, security,management

Requirements cloudcomputing, security

Architecture cloudcomputing, security

Training

ITIL-Compliant

eCommerce andeGovernment Services

YourEnterprise

Assessments

- Cloud Computing Assessment

- Independent Cloud Security Assessment and Re-assessment

- Cloud Computing Management Strategy

Assessment and Denition

Requirements- Cloud Computing Requirements Development

- Comprehensive Cloud Security Requirements Development

Architecture

- Cloud Computing Architecture Development

- Comprehensive Cloud Security Solution Architecture Development

Training

- Cloud 101 Executive-Level Course

- Cloud 102 Practitioners Course

eCommerce and eGovernment Architecture and EngineeringServices

- Cloud Business Transformation and Service Strategy Consultation

- Cloud Training

- Cloud Prototyping, Piloting, and Demonstration Support

- Cloud Troubleshooting, Diagnostics, and Remediation

- Cloud Testing and Acceptance Services

- Cloud Development and Migration Services Applicable for both

Existing and New:

- Data Centers and Infrastructure

- Systems and Platforms

- Applications, Software, and Services

- Data and Information Flows

Managed ITIL-Compliant Cloud Administration and GovernanceServices

- Initial Setup of Cloud Administration and Governance Capability

- Provisioning, Managing, Monitoring, and Controlling Cloud Server

and Storage Resources

- ITIL Service and Help Desk Support

- Conguration Management Services- Cloud Applications and Services O&M

- Cloud Data Loading, Applications Monitoring, and Tuning

Software as a Service (SaaS) Offerings

- Social Networking and All Source Analytical Framework (ASAF)

- CENTER (portal and collaboration)

- Records Management Service Components (RMSCs)

- OLIVE (virtual reality hosting)

Managed Cloud CyberSecurity Services

- Certication and Accreditation

- Thread and Risk Analysis

- Technical Vulnerability Analysis (TVA) and Penetration Testing

- Intrusion Detection

- Continuous Monitoring and Reporting- Persistent PKI Management

- Encryption Software and Services

- Cloud Disaster Recovery and Continuity of Operations (COOP)

- CloudShield

- Common Criteria Testing

MigrationServices

BusinessProcesses

Data andInformation Flows

Applications,Software, and Services

Systems and Platforms

Legacy/Existing Data Centersand Technology Infrastructure


17/18


18/18

Documents

Cloud Computing Healthcare