Welcome to Health Care POV | sign in | join
ADVANCE Perspective: HIT

Cloudbusting

Published March 10, 2009 8:46 AM by Bob Mitchell
Share
reddit Newsvine Del.icio.us Digg
Yahoo! Buzz LinkedIn StumbleUpon Google Bookmarks Mixx

With your head in the cloud as you hear Kate Bush's ethereal voice singing Cloudbusting, her shrill voice is trailing off..."The sun's coming out..."

We were sitting in an editorial planning meeting awhile back and the topic of cloud computing came up.

"Cloud computing, what's that?" someone asked.

"What do clouds have to do with computing?" someone else asked.

I'm sure they were all wondering what I had smoked and which cloud I was on. What do clouds have to do with computing and health IT?

I set out to find out more about cloud computing. Is it a bunch of hype? Is it for real? Is it being used in health IT?

I called Christopher Paidhrin, information security officer at Southwest Washington Medical Center (SWMC) in Vancouver, Wash., who I had worked with in the past to get his perspective on cloud computing. I learned that Paidhrin and other information security officers have many concerns about computing in the clouds.

The mark of the cloud

"We have explored the concept of cloud computing and what kind of value it could add. We are looking at what our peers are doing, the evolution of the technology and Web 2.0, but realize the financial constraints and profit margins of financial organizations -- where cloud computing cut its teeth -- and what audience or client value cloud computing serves for our purposes in health care," he said. "Of course, with any system I look at it from a security perspective, and honestly, there is so much to consider with cloud computing that we are looking at it very deliberately and cautiously."

Security considerations include service providers being hacked, having Web sites defaced, denial-of-service attacks, internal workforce member control issues. "All it takes is for someone inside your organization to decrease a security level. And for us in health care, all access to information is confidential," Paidhrin said. "We work with highly confidential information that we then entrust a third party to protect when we are putting it into the hands of someone else, such as in the cloud. That level of trust has to be extremely high, based on the realization that a lot of applications or service delivery is moving from a standalone host to a redundant host for availability services, and then virtualization, which is also highly available," he said.

"Especially in the cloud, there's going to be virtualization of services. If there's no security on the servers and someone knocks through the front door, then the database and repositories are vulnerable," he said, citing a recent article in Dark Reading that said only 35 percent of respondents who had to comply with Payment Card Industry [PCI] Data Security Standard or Sarbanes Oxley [SOX] had security solutions in place. "Thirty-seven percent had no security for their virtualization environments. Those numbers scare me," he said.

Paidhrin said that a lot of industries are moving a variety of services to the cloud for reasons of availability, capacity, outsourcing of services, SaaS and SOA. And, when software licensing, internal maintenance and management costs rise and the ability to buy cost-effective hosted services gets cheaper, "these are extremely strong motivators to move to the cloud," he said. "But, as we know, health care is slow to adopt new technologies. And despite the exorbitant increases in health care costs, providers are operating with slim margins as it is. There are also returns on investment/total cost of ownership [TCO] challenges we face with moving to the cloud. The cost of migrating these services can often be a deterrent," he said. There needs to be demonstrated value of the existing systems before hospitals/health systems can begin moving to cloud-based systems.

"Many organizations would rather not be early adopters in cloud computing. We want to see other industries' proof of concept that could be applied to health care; we want that pain point to be as far from us as possible," Paidhrin noted.

There is also some resistance from application vendors in health care. "They prefer -- because it's profitable for them, and also because of legacy standards -- to have their systems tested on standalone systems. It's an old mentality -- we can control the asset, we control the revision, and we control our software -- and in health care, many vendors will not provide support for third-party systems or hosted services."

In health care, similar to the operating environment at SWMC, there are more hundreds of stand-alone applications. "At SWMC at least 150 of them are legacy applications, developed in COBOL, Visual basic, FORTRAN -- basically older programs that are not .Net, HTML or Web 2.0-friendly, for that matter. Vendors are slow to move toward portals or Web front-ends. They don't want to share the virtual space whether it's in a local server cluster or in the cloud. The legacy applications only work with one kind of database, and they may or may not work with a public or open source server or operating system," he said.

What's needed?

Paidhrin said that what's needed is an infrastructure, albeit, a health care cloud player, "...someone who has proven themselves in another industry and now demonstrates how it can be done in health care," he said.

But until that exists, and it's profitable, health care is going to be averse to moving to the cloud. "I think that health care would prefer open source because of the challenges we have had with vendor-specific applications. We don't like being trapped, and we're seen the virtue and value of open source, which has better licensing models, as opposed to desktop, per-seat licensing models of the past," he said.

Paidhrin said that moving information security to the cloud is a specific area that has potential. Cost incentives, because of security's broad reach, make cloud computing attainable in that environment. Because it takes anywhere from three to five people to maintain network and endpoint security, the TCO to leverage all services via the cloud for policy compliance makes it a serious consideration, he said.

"Security monitoring tools are highly available and highly trusted, and the CxOs get a report immediately which provides value for the work they are doing," he said. Newly available tools are rapidly achieving cloud-based security, but we're still a ways off in adopting universal security standards, like OASIS/SAML. Monitoring of mobile devices, such as laptops and other devices make cloud computing an important consideration. Cloud-based security would be beneficial for such things as laptop and mobile [encryption] security," he added.

Tell me your stories about cloud computing. Have you explored the cloud? Are you considering doing any work in the cloud? E-mail me at RMitchell@advanceweb.com.

I'll post your comments here.

 

posted by Bob Mitchell
tags: , , , , ,

2 comments
add a comment »

Interesting news from Sun Microsystems this morning. Sun is developing a public cloud technology:

SAN FRANCISCO - (AP) Taking a cue from Amazon.com, Sun Microsystems Inc. plans to launch its own "public cloud" service, which will let everyone from big-time corporations to dorm-room entrepreneurs run their businesses on Sun's computers without buying hardware of their own.

Santa Clara, Calif.-based Sun planned to announce the offering Wednesday, in a move that reflects the growing interest in so-called "cloud computing," which is industry jargon for providing computing resources over the Internet.

Traditional data centers hog energy, and stocking them with cutting-edge servers and storage machines is expensive, which explains the appeal of cloud-based services. Some examples range from Web-based e-mail to customer-management programs from Salesforce.com Inc.

Amazon says more than 490,000 people and corporations have signed up for its cloud computing service since it launched in 2006, but some analysts have criticized it as a financial dud. Amazon doesn't break the division's financials, and won't say whether it is profitable.

Sun says its public cloud is just one element of its strategy.

Lew Tucker, CTO for Sun's cloud computing group, said Sun believes there are bigger profits in selling the technology to companies that want to provide cloud services themselves, or to large corporations that want cloud services for its employees but refuse to surrender their most sensitive, proprietary data.

Sun needs a new revenue channel, having seen it become harder and harder to sell new server hardware to corporate customers. Sales in Sun's server division fell $191 million last year to $6.26 billion.
Bob Mitchell March 18, 2009 9:08 AM
King of Prussia PA

Excellent article!

Health care is always slow to adopt, but it's good to be cautious, especially when implementing any new technology and one where you give up much of your control, such as cloud computing technologies.
Alyson March 10, 2009 4:43 PM

leave a comment


To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the image, reload the page to generate a new one.

Captcha
Enter the security code below: