Cloud brokering is happening elsewhere in healthcare, where CIOs are exercising the additional due diligence in embracing hosted software in the face of stringent regulations. Creative Solutions in Healthcare is running 100 percent of its infrastructure in a VMware public cloud, says Shawn Wiora, CIO and CISO of the Fort Worth, Texas, nursing home provider, which has 5,000 patients.
In preparation for a move to the cloud in 2014, Wiora compared documentation for both HIPAA and the HiTECH Act, and created a row in a spreadsheet for any technical requirement he needed to address. Then he presented it to VMware with the understanding that their co-signed BAA would include anything from documented processes for how VMware would dispose of storage disks to breach notification and encryption. Since switching to VMware last year, he' dramatically reduced his infrastructure costs, as well as the time and maintenance required to maintain servers. "We've got a really good handshake across the BAA and a great relationship," Wiora says.
Yet Wiora is convinced he's an outlier. He says that many of his CIO peers still operate under the assumption that stringent HIPAA rules make it nearly impossible for healthcare organizations to adopt cloud services. He argues that "risk mitigation is much better with a cloud provider," which can provide better security assurances than most hospitals. In addition to VMware, he's using between 15 and 20 software-as-a-service apps for capabilities such as service management, single sign-on, human resources and electronic medical records.
Does agility trump regulatory risks?
For other healthcare CIOs, the business agility of cloud outweighs the risk of regulatory noncompliance. Partners in Health CIO Dave Mayo in 2013 began using Microsoft Azure and Office 365 to ensure that the nonprofit organization's 17,000 clinicians, which provide healthcare services in such impoverished countries as Rwanda, Haiti and Mexico, could reliably exchange information, including X-rays and other digital images. “Email is our supply chain,” Mayo says.
Dave Mayo, CIO of Partners in Health.
Partners in Health previously used six disparate email systems, supported by a hodgepodge of servers battling to survive in hot climates. It couldn't afford to build and staff data centers, let alone get support from high-tech vendors in such far-flung regions.
The cloud was the only answer. "We needed one platform to help unite the organization so that clinicians in the field didn't have to worry about technology," Mayo says. Mayo says that although the countries Partners in Health serves are not subject to HIPAA laws, he's signed a BAA with Microsoft to ensure that the partners comply with HIPAA terms. “You don’t have to be HIPAA-compliant in Malawi, Africa, but we are.” Why? It's just good practice, he says.
Sign up for CIO Asia eNewsletters.