Those two extremes can be neatly summed up by the experience of David Endicott, CTO and senior vice president of Providence Health & Services, a healthcare provider with 50 hospitals and 829 clinics across five Western states. It wasn’t a long-term struggle for Endicott to implement a cloud-first strategy — opting for Microsoft 365 and a cloud-based ERP system — but he had to proceed deliberately and with caution.
After deciding to move the hospital system’s complex data analytics process to the public cloud, “easy” went out the window, thanks to the healthcare business associate agreement (BAA). Three years have passed since Endicott started shifting genomics research, operational data and some de-identified patient data to the cloud — and it’s still a work in progress.
That dichotomy is reflected in a 2017 survey from KLAS Research, which showed hospitals are eager and enthusiastic about the public cloud for some things, but also wary and slow moving for others. All told, more than 70% of healthcare organizations surveyed have at least some part of IT operations in a public cloud, and 69% want to move to the cloud or expand what they’re already doing there. But a significant 31% have no plans that include a public cloud because of concerns ranging from security and privacy to cost and performance.
At a time when healthcare IT continues to be widely perceived as lagging behind other industries, it’s ironic that the cloud — arguably a powerful solution widely used in other industries — is still not a straightforward choice.
“The cloud can actually put you in a time machine and move you forward,” argued Haddon Bennett, CISO at healthcare cloud platform seller Change Healthcare. “Healthcare is slower to adopt [new things] than other industries. They hide behind security concerns, but the reality is, they don’t want to make changes. Healthcare is 15 years behind where the financial services industry is. Go to the cloud, and you can catch up.”
Or providers can at least try to catch up, as Endicott suggested. Providence, which has grown through acquisitions, had ambitious data analytics efforts in mind, and the cloud was the obvious choice to establish a data lake and move forward. The hospital group was already on all three major public clouds — AWS, Microsoft and Google — so it should have been a simple effort.
But it was nothing of the sort. “The biggest challenge we had with the cloud was a legal one,” Endicott acknowledged. “It was very difficult getting the different providers to basically sign our healthcare BAA. I think as the cloud companies got a little more mature and I think as they started to work with more healthcare companies, they certainly understood better the requirements of healthcare entities. But I would still say that it’s an issue.”
David Harlowthe Harlow Group
For patient information to be shared, providers and partners must enter into a HIPAA-mandated BAA. And in the brave new world of cloud computing and healthcare, past experience isn’t really much help when negotiating those contracts, Endicott said. “Outsourcing has been around and has 30 years of contract law to get to what I would call accepted terms and conditions,” he explained. “In the cloud world, things are much less mature, so there is a difference between the roles and responsibilities a customer has with the cloud as opposed to outsourcing.”
In fact, nothing is going to prepare a healthcare organization to negotiate with a big cloud vendor since there likely isn’t much, if any, room for negotiation in a healthcare BAA, said attorney and HIPAA expert David Harlow, owner of the Harlow Group. “Unless you’re a giant customer, you’re not going to get a whole lot of negotiated changes in an AWS or other cloud services agreement,” he advised. “Most healthcare providers are not in a position to negotiate with an Amazon.”
At issue is what large cloud vendors see as their responsibility in their healthcare BAA versus what a hospital looks for, Harlow noted. “What BA agreements from large cloud providers do is basically say, HIPAA does not, strictly speaking, require encryption in all cases, but we do not put anything on our cloud unless it’s encrypted,” he said. “That absolves them of much liability in terms of security. If data is delivered already encrypted and there’s a breach, it’s not going to be a significant problem to a cloud provider.”
Endicott agreed: “Limitations of liability have shifted from the [cloud] provider over to the customer, and that’s something you have to be aware of. A healthcare BAA is typically very clear in terms of assigning accountability when it comes to the security of patient records.”
Developing a BAA strategy
Still, it’s vital to read the healthcare BAA thoroughly. After three-plus years of experience migrating to the cloud, Endicott and his team are about as close to being experts as any hospital officials when it comes to cloud legal issues.
According to Endicott, two IT law experts on Providence’s legal team thoroughly examine the BAA, then it goes to the security team. “We want them to go over it with a fine-tooth comb,” he added, “so we know exactly what the security posture of the hoster is.”
Then it’s time to validate. Endicott wants to know exactly what a vendor can and will deliver, and he’s willing to do on-site inspections at the cloud company, if necessary. “So we’ve had a couple of cases where we did an inspection of a SaaS provider,” he said. “We inspected the data center hosting and found out some very poor results. Particularly on SaaS, we don’t trust. We verify [if] what they’re saying actually is the case.”
And it doesn’t stop there. Endicott’s team also benchmarks pricing and closely compares offerings to other healthcare operations to ensure Providence is getting the best value for its money. “When we’re looking at either a new application or looking at updating an existing one,” he said, “we are looking at SaaS first and then looking at alternatives after that. We have a hybrid cloud strategy, and based on a workload and how critical it is from an operational standpoint and how secure an app has to be, we make decisions. A variety of factors play into it. Is this something I can put in and transfer to the cloud, or is it something I need to keep on prem?” Endicott noted that Providence’s clinical applications, including Epic, aren’t yet cloud-ready.
Still, after three years, the hospital is beginning to see some results, he reported, but the time so far has been mostly spent “leaning in” to the cloud. It has taken patience, particularly around the healthcare BAA issue, but the end goal is clear.
“If I look at healthcare in particular, where there’s a vast amount of data either on the cost side or on the patient side or on the operational side, most places, including us, just don’t have the computational horsepower to be able to mine that effectively to get insights,” Endicott reasoned. “When I’m thinking about the cloud, a lot of my thought processes are, ‘What are the services I can get from the cloud that there is no way I can replicate or even try and replicate?'”