Upload
subhashkr
View
218
Download
0
Embed Size (px)
Citation preview
7/31/2019 Cloud Computing Healthcare
1/18
NATIONAL SECURIT Y ENERGY & ENVIRONMEN T HEALTH CY BERSECURIT Y
Healthcare OrganizationsCloud Computing in
W H I T E P A P E R
A perspective from Science Applications International
Corporation (SAIC)
SAIC. All rights reserved.
7/31/2019 Cloud Computing Healthcare
2/18
2 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
Table of Contents
Cloud Computing for Healthcare 3
Benets of Cloud Computing 6
Potential Cloud Computing Risks 8
Security in the Cloud 9
Strategic Decisions Before Cloud Adoption 11
Engineering, Implementation, and Cloud Management Services 12
SAIC: Walking the Talk 14
Getting Help with the Cloud 15
Looking Ahead 17
7/31/2019 Cloud Computing Healthcare
3/18
3 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
With unprecedented pressures on healthcare organization
(HCO) leaders to deliver more with less, many are looking
for technology solutions to help realize goals for improved
service quality and efciency. Technology experts at
Science Applications International Corporation (SAIC)
understand implementing complex health information
technology (HIT) systems can be challenging enough; butmanaging on-going operations with IT departments that
are chronically underfunded and understaffed has a lot of
CIOs looking to the cloud for answers to an equation thats
tough to balance.
What is Cloud Computing?
Cloud computing is the delivery of IT infrastucture assets
such as server capacity and software applications over
the Internet on a utility basis. Cloud computing offers
convenient, rapid and timely access to a shared pool
of computing resources. Such resources can be strictlyinfrastructure components (i.e., networks, servers,
storage, etc.) or can include software to facilitate ready
access to applications and services.
Cloud computing resources offer attractive exibility;
as usage demand ebbs and ows, the amount of
horsepower being consumed can be adjusted to meet
changing computing needs. But cloud computing is not
just a new name for resource virtualization. Features
such as self-service provisioning of resources, and
advanced use-metering distinguish cloud computing asa new and transformational technology that promises to
make the cloud a utility-like resource.
As with all transformational models, the business value
to be gained through cloud computing is proportional
to the thought invested up front. Organizations that are
truly serious about moving their assets and processes
to the cloud should rst consider some important
strategic questions about their business processes and
computing needs before selecting a technical solution.
The strategy questions may seem vexing since they require
engagement from the leadership ranks of the organization.But close attention to strategic planning will empower
organizations to invest in solutions that will help them
address their current computing needs, while providing a
sustainable path to the future.
The Preferred Computing Solution for Healthcare
In cloud computing, the focus is on the selection of
one of three service models - Software as a Service
(SaaS), Platform as a Service (PaaS), or Infrastructure
as a Service (IaaS) described in the table on page 4.
With an understanding of an HCOs goals, needs, andconstraints, a cloud solution can be engineered to deliver
specic, externally hosted applications, a complete
computing platform for local applications to use, or simply
rapid access to exible and scalable computing. Cloud
computing could be the centerpiece of the healthcare
CIOs strategic IT planning.
End users (such as a person, a department, a clinic, or
an IT organization) can order services through a self-
service catalog located on the Internet or private network.
Service options should be chosen to maximize businessvalue to the organization based on the strategic decisions
mentioned above. The catalog should clearly dene
service levels and associated pricing, and services should
be obtainable by submitting a service request. Once the
service request transaction is complete, the service is
Cloud Computing for Healthcare
7/31/2019 Cloud Computing Healthcare
4/18
7/31/2019 Cloud Computing Healthcare
5/18
5 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
Cloud Types Characteristics
Community A community cloud offers benets of both the private and public clouds. Essentially, community
clouds are public clouds whose tenants are limited to a dened group or class of customers. This could
include a cloud for hospital consortia such as an integrated delivery network ( IDN) or an accountable
care organization (ACO). These offerings are optimized for the customer community, and for regulated
industries, such as healthcare, so that they comply with all applicable regulations. For example, a
healthcare community cloud would be engineered to comply with Health Insurance Portability and
Accountability Act (HIPAA) security and privacy requirements.
Hybrid Integrating elements from the previous three types, hybrid cloud is custom-engineered, frequently for a
particular customer. Many customers, like hospitals and physician organizations that may be closing data
centers, desire to integrate existing assets with an externally-hosted cloud solution.
7/31/2019 Cloud Computing Healthcare
6/18
6 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
Cloud computing offers both tangible and intangible
benets to healthcare organizations. Through selfservice
ordering, reduced capital investment, and an abundance
of performance metrics, healthcare CIOs can both
improve the quality of service and reduce their costs. A
move to the cloud also offers intangible benets to long-
suffering CIO ofces struggling with more mandates than
available resources.
Benets of Cloud Computing
Process Immediate self-service through a Web-based service catalog triggering a service request and subsequentautomated work ow
Improved scalability to meet mission/business demand and surges
Improved mission/business agility through rapid provisioning
Investment Buy only as much as you need when you need it, using a metered subscription (pay-as-you-go) model
Reduced or no up-front capital investment for new information services
Reduced management and maintenance for existing information services
Value Measurable services
Proactive service continuity in the event of an outage or disaster
Improved accessibility and portability through open and simplied architecture
Security custom tailored to the business need
Intangible Focus intellectual capital on core business activities
Transfer of service responsibility to an external party
Reinvest IT expertise and capital on improved service and emerging issues
Improve the reputation and inuence of the organization
Its important to note that setting ones sights on cloud
computing is not an all-or-nothing proposition. Process,
investment, value, and intangible benets can be partially
achieved by working toward cloud computing without a
complete adoption. A seasoned technology partner with
strong skills in solution development through integration of
new and existing assets is essential.
7/31/2019 Cloud Computing Healthcare
7/18
7 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
Cloud Computing Opportunities for Healthcare
The following is a list of use cases where cloud computing
can bring value to the HCO. SAIC is assisting organizations
with cloudifying many of these functions.
Mission-Driven
Hospital-based electronic health records (EHRs)
Community-based health information sharing
Integrated delivery networks (IDNs)
Ambulatory EHR and practice management
Personal Health Records (PHRs) Patient accounting, nancial and billing systems
Enterprise Resource Planning (ERP) systems
Clinical ancillary systems such as Laboratory
Information Management Systems (LIMS) and Electronic
Prescribing (E-prescribing)
Consumer communications and social media
Cyclical and seasonal mission requirements (e.g.,
orthopedic services related winter falls, u season spike
in demand)
Statistical and analytical functions requiring large-scale
scientic and technical computing (outcomes analysis,business intelligence)
Episodic requirements which can benet from rapid,
on-demand cloud provisioning (e.g., emergency
management, outbreak management, and
food poisoning)
e-Filing efforts comprising complex multi-directional
information submission, public collaboration, benets
transfer, and grants management
Broad and distributed quality, revenue, professional
association or network responsibilities requiring
information gathering, modeling, data mining,visualization, etc.
Cross-Cutting
Communications (email, messaging, and mobile) and
workow management
Information discovery, archiving, search and retrieval,
records management, and digital notary
Marketing, online training, and information
dissemination
Employee orientation, announcements, services,
training, and networking
Mobile application access and delivery
Backup and Recovery and Continuity of Operations(COOP)
Data gathering and situational awareness.
7/31/2019 Cloud Computing Healthcare
8/18
8 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
All computing solutions have inherent risks; and cloud
computing is no exception. An organization must ensure
that its risk exposure is reduced by adopting a cloud
strategy that identies and quanties risk, avoids it if
possible, and mitigates it if necessary.
The following table summarizes major risks, typical
exposure, and mitigation response for cloud computing:
Potential Cloud Computing Risks
Risks Mitigation/Avoidance Strategies
Security, including non-compliance with the
HIPAA Security Rule, and malicious intrusions
Security must be engineered into the design of the cloud and cloud monitoring and management
processes. Use of National Institute of Standards and Technology (NIST) standards, cloud
management tools for role-based access, and encrypt ion of data at rest and data in motion will
reduce vulnerability. Clear Service Level Agreements establishing responsibilities of the provider
and the user are essential to contr olling access, use, and management of sensitive data.
Privacy risks, including non-compliance with the
HIPAA Privacy Rule, breach exposures of private
information, and identity disclosures resulting
from data mining and advanced analytics
Policies and practices must be implemented that assure compliance with the HIPAA Privacy Rule.
Monitoring to identify and prevent potential intrusions. Measuring and reducing the probability of
identity disclosure. Ensuring that the proper contractual and legal protections are enacted.
Lack of transparency into cloud environment Use of cloud-compatible auditing and logging tools is critical for maintaining a window into the
cloud to monitor securit y, availability, capacity, and performance.
Lack of support for regulations and service levels;
possibility of cloud supplier bankruptcy
HCOs need to apply due diligence in the selection of cloud service providers. Contracts need to
clearly assign responsibilities for regulatory compliance, and delineate monitoring service levels
using cloud management tools.
Availability issues including outages, low
bandwidth, unproven cloud providers, and no
end-to-end monitoring
Lessons learned from high visibility cloud outages suggest that well-engineered systems suffer
scant downtime. Building redundancy and extensive use of monitoring, and metering right into a
cloud strategy w ill pay dividends over time.
Incompatibility of cloud with customer
architecture and service management processes
Most customers will have legacy infrastructure that must be integrated into a cloud strategy.
A good design will overcome potential incompatibility through use of a consistent technical
reference model, architectural standards, and best practices.
Compatibility of cloud with customer nance
model and charging mechanisms
Cloud hosting vendors can provide the information to both examine expenses and charge-back
to internal customers. When merged with a detailed distribution of legacy capital investment,
transition-operation labor, and maintenance costs can result into transparent cost pools for
charge-back.
7/31/2019 Cloud Computing Healthcare
9/18
9 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
Challenges
A May 2011 Computerworld survey showed that, for
security reasons, IT leaders within FORTUNE 1000
companies remained wary of public cloud adoption. HCOs,
however, increasingly recognize the business value and are
gravitating toward cloud solutions. This fact is underscored
by a 2010 survey, which reported that about 32 percent ofHCOs already use some form of cloud computing, and 73
percent reported that they plan to move more applications
to the cloud (FierceHealthIT; June 28, 2010). But most
HCOs, by a signicant margin, preferred the control and
certainty of a private cloud as a rst step toward cloud.
Notwithstanding those preferences, all cloud models have
potential vulnerabilities that must be mitigated.
Traditional computer security has many similarities to
historical military tactics in protecting a city. A perimeter
is established and fortied, a small number of gates are
guarded to allow trusted persons to pass through, and
guards both scan the horizon and keep tabs on potential
threats inside the walls. As technologies such as catapults
and cannons evolved, such traditional approaches still
had value, but were adjusted and augmented to keep
pace thus leading to todays network rewalls and
demilitarized zones (DMZs).
Cloud computing can complicate security planning
and execution by making it more difcult to discern an
organizations perimeter because the organizations
virtual resources are now located on the cloud hosting
providers premises. Thus, security and privacy policy
must be extended to cloud services providers as part
of contracting terms. By being able to dynamically
extend a departments computing infrastructure beyond
its perimeter, cloud computing offers cost-effective,
scalable, on-demand service. But it ushers in an age of
interdependence and inter-connectivity between customer
and provider that organizations may be unaccustomed to
experiencing.
Such a new reality requires the establishment of a trust
relationship in all phases of service delivery including
security. Many health entities will nd this newfound
delegation of direct control to a services provider to
be uncomfortable at best and possibly unacceptable
for some applications. Security ofcers, who often
feel personally responsible for the defensive posture
of the organization, may struggle with the inherent
limitations on their ability to inspect and test the
service providers security mechanisms. Again, clearly
articulated expectations and responsibilities should be
established in Service Level Agreements and in Business
Associate Agreements.
To further muddy the security waters, the infrastructure
needing security controls and protection can expand
and contract on the y. Sophisticated management
tools and exible vendor agreements will allow CIOs to
establish and manage multiple cloud infrastructures.
Applications and data may be dynamically moved among
private, community and public clouds as circumstances
warrant. This constant change offers a new dimension of
complexity in security planning and implementation.
The Good News
On the other hand, having valued clinical data centrally
managed by an entity whose success (and continued
viability) depends upon its ability to effectively manage
and protect the condentiality and integrity of those
data is far less risky than having the data distributed
Security in the Cloud
7/31/2019 Cloud Computing Healthcare
10/18
7/31/2019 Cloud Computing Healthcare
11/18
11 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
The key to successful cloud design and implementation
is to develop a comprehensive strategy that will
meet the organizations short and longer-term needs.
An experienced cloud consulting rm can guide an
organization through key questions such as:
What are the goals for implementation? Which of the process, quality targets, value measures
and intangible benets does the organization want to
achieve?
What is the long-term vision for the provision of
computing services?
What business needs are driving the initial target
implementation and what is the timeline?
Is there an internal charge-back mechanism that needs
to be supported?
Which security, privacy, and continuity considerations
will affect the design of your implementation?
What are the HIPAA, Gramm-Leach-Bliley, or other data
privacy-related factors that drive a cloud solution?
How mission-critical is the data and what level of
availability is desired?
Do existing infrastructure and vendor relationships
impact the design of a solution?
Is there an installed base of in-house technology that
could benet by being included in the solution?
Do the applications require a specied computing
platform, both hardware and software?
Is there another reason like the knowledge base ofthe in-house IT staff that suggests the inclusion of a
particular technology?
What level of cloud management does the organization
wish to directly undertake?
Who will be ordering and monitoring serviceend users
or the CIO staff on their behalf?
What skill mix does the CIO staff bring to the table or
are willing to develop?
Does the CIO wish to delegate workload and
responsibility to an external party?
The answers to these example questions, and the
discussion that will ensue, will form the basis for initial
solution development and the preparation of a long-term
roadmap for cloud computing.
Strategic Decisions Before Cloud Adoption
7/31/2019 Cloud Computing Healthcare
12/18
12 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
Once the strategic direction of the cloud computing
initiative has been established, an organization will be
ready to engage its technology partner to begin design
and implementation. The technology partner will develop
and present a solution and a project management plan.
If the technology partner sells cloud products as well, the
solution developed will most likely feature its own cloudmanagement product suite.
A solutions integrator, such as SAIC, on the other hand,
will focus more centrally on the clients needs and typically
remain vendor-neutral. The proposed solution will employ
the best possible technology for the organizations needs,
regardless of its origin.
Regardless of which type of technology partner an
organization chooses (product vendor or integrator),
the following is an example list of services that may be
acquired:
Private cloud implementation
Provisioning of public cloud compute and storage
resources (e.g., Amazon Web Services, Terremark) on
behalf of customers and internal users
Implementation and integration services for the four
types of clouds
Security assessment (certication and accreditation, if
required) of the cloud environment
Risk analysis and mitigation services
Security and privacy analyses Access controls (identity management, authorization
management and access auditing)
Penetration testing
Cloud infrastructure management and administration
Services management, information assurance, and
cloud control services
Cloud computing testing and acceptance
Enterprise and carrier-class cloud network security
services
Managing Multiple CloudsSAIC believes that most enterprises will end up with a
hybrid cloud model. Regardless of the risk-reward prole
they choose when starting with cloud implementation,
most organizations will eventually wish to link their
existing infrastructure to public or community cloud
resources. Beyond that, maturity in a cloud program
results in the desire for exibility to move workload among
available compute and storage resources to get the best
performance, to pursue the best pricing, and to avoid
provider downtime, among other advantages. This will
require the development or acquisition of a capabilityknown as cloud brokerage. With the right cloud broker
tools and know-how, an organization can maximize their
cloud investments, simplify the management of their
multi-cloud environment, and bring order to cloud chaos
through the implementation of governance principles.
Governance in the Cloud
Like more traditional computing environments, cloud
requires the denition of expectations, granting of
authority, and verication of performance. But the
unique features of cloud that both the internal service
provider and the end user may have a limited window
into the operations of the environment make the need
for automated, rule-based, decision-support all the
more critical.
Engineering, Implementation, and Cloud Management Services
7/31/2019 Cloud Computing Healthcare
13/18
13 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
When SAIC was contemplating its own corporate
commitment to cloud computing, we developed a list of
needed governance functions. This list includes:
User authentication
Role-based access control
Customizable access privileges
Encryption key management
Intrusion detection and alerting
Audit logging and reporting
Implementation of exible billing controls
In addition, these functions are required across a multi-
cloud environment. In designing the SAIC cloud solution,
our Cloud Project Management Ofce conducted research
and selected a vendor for cloud governance management.
The experience SAIC gained from installing, conguring,
and using our cloud governance tool suite allows us
to offer to our customers an unusually broad array of
cloud management services that draw from our own
extensive experience.
7/31/2019 Cloud Computing Healthcare
14/18
14 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
Moving SAICs data center to an enterprise private cloud
was a strategic decision with far-reaching benets to
the company and its customers. Most often cited by
company executives, practice[ing] what we preach is
a fundamental benet of this effort. SAIC migrated its
company-owned corporate data center from San Diego to
a commercial data center in the Dallas area. In so doing,SAIC deepened its expertise in cloud migration from
project management to full operations. This rst-hand
experience as a customer of cloud services helps us
understand and address your cloud concerns. For SAIC,
the answer was to move everything to a cloud computing
infrastructure and use carefully architected technologies
to deliver value to the business.
SAIC established an enterprise private cloud based on the
VCE Vblock technology. The Vblock is a pre-engineered
virtualization block that features integrated technologies
from partners Cisco, EMC and VMware. On a single
chassis, it combines compute (Cisco UCS family), network
(Cisco Nexus family), storage (EMC Symmetrix or Unied
Storage) and virtualization (VMware vSphere 4).
In October 2011, the SAIC Enterprise Cloud was up and
running. Today, we continue to discover new ways to
leverage our cloud architecture and capabilities.
SAIC: Walking the Talk
7/31/2019 Cloud Computing Healthcare
15/18
15 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
SAIC is a world-renowned information and technology
solutions provider to government and industry. Customerfeedback consistently shows that SAICs deep knowledge
of an organizations business and alignment with its goals
sets us apart from other systems integrators. For cloud
computing transformation, our commitment to close
analysis of enterprise assets and strategic planning in
ongoing collaboration with stakeholders provides the
knowledge and experience an organization needs to
successfully navigate to a cloud solution. For those ready
to maximize benet, minimize risk, and ensure security
through cloud computing, SAICs portfolio of services,
described on page 16, can chart your course toward asuccessful cloud implementation.
World-Class Cloud Management and Support
Once you are up and running on your new cloud
environment, SAIC offers world-class cloud management
and IT support services through our award-winning
Integrated Services Management Center (ISMC). The
ISMC provides a cost-effective solution for monitoring
your cloud environment(s) and making sure that they meet
service level objectives and evolve as your organizations
requirements change. The ISMC provides expertpersonnel, automated processes and proven technologies
that can lower the cost and raise the quality of IT services
such as help desk support and data, application and
infrastructure management.
Getting Help with the Cloud
7/31/2019 Cloud Computing Healthcare
16/18
16 CLOUD COMPUTING IN HEALTHCARE ORGANIZATIONS
Managed CloudCybersecurity Services
ITIL-Compliant CloudAdministrationand Governance Services
SAIC Cloud ComputingServices Portfolio
Softwareas aService(SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
User AdminPortal/Catalog
Service Desk Support
UsersAsse ssments cloudcomputing, security,management
Requirements cloudcomputing, security
Architecture cloudcomputing, security
Training
ITIL-Compliant
eCommerce andeGovernment Services
YourEnterprise
Assessments
- Cloud Computing Assessment
- Independent Cloud Security Assessment and Re-assessment
- Cloud Computing Management Strategy
Assessment and Denition
Requirements- Cloud Computing Requirements Development
- Comprehensive Cloud Security Requirements Development
Architecture
- Cloud Computing Architecture Development
- Comprehensive Cloud Security Solution Architecture Development
Training
- Cloud 101 Executive-Level Course
- Cloud 102 Practitioners Course
eCommerce and eGovernment Architecture and EngineeringServices
- Cloud Business Transformation and Service Strategy Consultation
- Cloud Training
- Cloud Prototyping, Piloting, and Demonstration Support
- Cloud Troubleshooting, Diagnostics, and Remediation
- Cloud Testing and Acceptance Services
- Cloud Development and Migration Services Applicable for both
Existing and New:
- Data Centers and Infrastructure
- Systems and Platforms
- Applications, Software, and Services
- Data and Information Flows
Managed ITIL-Compliant Cloud Administration and GovernanceServices
- Initial Setup of Cloud Administration and Governance Capability
- Provisioning, Managing, Monitoring, and Controlling Cloud Server
and Storage Resources
- ITIL Service and Help Desk Support
- Conguration Management Services- Cloud Applications and Services O&M
- Cloud Data Loading, Applications Monitoring, and Tuning
Software as a Service (SaaS) Offerings
- Social Networking and All Source Analytical Framework (ASAF)
- CENTER (portal and collaboration)
- Records Management Service Components (RMSCs)
- OLIVE (virtual reality hosting)
Managed Cloud CyberSecurity Services
- Certication and Accreditation
- Thread and Risk Analysis
- Technical Vulnerability Analysis (TVA) and Penetration Testing
- Intrusion Detection
- Continuous Monitoring and Reporting- Persistent PKI Management
- Encryption Software and Services
- Cloud Disaster Recovery and Continuity of Operations (COOP)
- CloudShield
- Common Criteria Testing
MigrationServices
BusinessProcesses
Data andInformation Flows
Applications,Software, and Services
Systems and Platforms
Legacy/Existing Data Centersand Technology Infrastructure
7/31/2019 Cloud Computing Healthcare
17/18
7/31/2019 Cloud Computing Healthcare
18/18