Considering the Cloud:

Inside the Mind of the

Healthcare CIO

December 15, 2015

2:00 – 3:00 pm ET

1

2

Housekeeping Issues

All participants are muted – To ask a question or make a comment, please submit via the

chat feature and we will address as many as possible after the presentations.

Audio and Visual is through www.readytalk.com. – If you are experiencing technical difficulties accessing audio

through the web, there will be a dial-in phone number displayed for you to call. In addition, if you have any challenges joining the conference or need technical assistance, please contact ReadyTalk Customer Care: 800.843.9166.

Today’s slides will be available for download on our homepage at www.ehidc.org

Overview of eHealth Initiative

• Membership-based, non-profit

• Mission: to promote the use of HIT as a key

component of health system reform.

• Research, advocacy, education: host webinars

and events to:

– Highlight higher-level theory and policy behind the

use of health IT

– Demonstrate on the ground examples of how

organizations are using technology

– Share lessons learned and best practices

4

Multi-Stakeholder Leaders in

Every Sector of Healthcare

5

Considering the Cloud: Inside the

Mind of the Healthcare CIO

Explore the role of the cloud in healthcare

Why use the cloud in healthcare? –

discuss advantages of cloud infrastructure

How to best enable the effective use of

cloud? – governance, security, vendor

relationships, workflow, etc.

What impact has the cloud had on the

enterprise?

6

Agenda

2:00 – 2:05 Welcome & Introductions

2:05 – 2:30 Presentations

– Mitch Parker, Chief Information Security

Officer, Temple University Health System

– Chad Thiemann, Privacy Director, Information

Governance & Privacy Operations, CVS

Health

2:30 – 3:00 Audience Q&A

7

Speakers

Chad Thiemann,

Privacy Director,

Information

Governance & Privacy

Operations, CVS

Health

Mitch Parker, Chief

Information Security

Officer, Temple

University Health

System

Considering the Cloud

Mitchell Parker, CISSP

CISO

Temple Health

Purpose of Presentation

• To show that the cloud is already in use in the healthcare environment, and how we can best manage it

The role of the Cloud

• Healthcare has always been about leveraging shared services to save money– In the first days of computing, Service Bureaus

used to provide time on mainframes for data processing

– Shared Medical Systems’ (now part of Cerner) business model based on it

• This model continues, with multiple vendors offering Electronic Medical and Health Records as shared services

The role of the Cloud (2)

• There are several factors causing CIOs and CFOs to look into the Cloud:– Increased Clinical Initiatives taking up capital pool

money

– Increased operational costs for EMRs, EHRs, and supporting ancillary systems

– Cash flow pressures due to public markets (bond, stock) and need to maintain certain operational income margins

– Increased regulatory requirements (Joint Commission, CMS)

Why use the cloud in healthcare?

• Reduce costs of supporting non-core systems

– Human Resources, Supply Chain, E-mail, File Storage

– Turn capital costs into Operational Costs

• Provide Better Security

– Cloud Providers can provide better support and maintenance as they focus on your systems

– They plan in aggregate and leverage costs

– Better operational monitoring of systems

– Better patching and protecting against vulnerabilities

Why use the cloud in healthcare (2)?

• Reduce costs of supporting core systems– EMRs are expensive

– So are Ancillary Systems

– Scarce resources for large popular implementations

– Hosting the EMR elsewhere allows for predictable costs, maintenance, and upgrades

– It also reduces risk to the core environment by having patients access the third party site instead of the hospital/healthcare environments

HOW TO BEST ENABLE CLOUD USAGE

Governance

– Cloud applications need to fall under the same rules and regulations that on-premise applications do, with no exceptions

– Supply Chain needs to be heavily involved• One of the issues we found was “shadow IT” doing

acquisition and purchasing

• You need to be able to have one set of rules that apply to everyone

– Departments need to be heavily involved• Even if your departments do not have cloud-based

applications, their vendors do

Security

– You need to be very comprehensive in security evaluations

• Standardized Questionnaire

• Standardized Contract Language for HIPAA and Security

– Preliminary Risk Assessments of products before the contract is even signed

– Yearly risk assessments as per the HIPAA Security Rule

– You have every right to ask questions and ask vendors for changes

– Always make sure that moving a core system improves security and supporting processes

Vendor Relationships

– You need to have very tight relationships

• They are your business partners, not your adversaries

– Make sure that contracts spell out everything they need to do

– Make sure that preliminary questionnaires cover major areas of security (hosting, development, ongoing maintenance, upgrades, downtime)

– You need to be upfront and specific about security Service Level Agreements

Disaster Recovery

• As per the Joint Commission Information Management Standards, organizations need:– Downtime Procedures– Disaster Recovery Plans

• While an organization might have been able to get away with not updating this as much in the past, this is different now

• This is now something that needs to be tested at least yearly, if not more

• This is one hidden cost that organizations may not be aware of– Cloud does not obviate your need for DR and Downtime Procedures– Now that your applications aren’t on premise, even if they are

redundant, there is still increased risk of loss of connectivity– You need to be able to function without the Cloud

Workflow

• Cloud Applications need to be evaluated to see how they fit into organizational workflow

• Just going to something because it’s “in the Cloud” doesn’t help you

• You need to be able to make sure that applications work with what you have

Example #1 - Research

• Implemented a new double-blind system for research subject selection

• We were able to verify/validate the entire development and management process with vendor

• We were able to present a solution to executive leadership that was more secure than on-premise

• On-premise would not allow this system to work across institutions

Example #2 – Public Web

• With limited IT resources, they are not considered “core”

• We entered into an arrangement with a third-party hosting firm

• We conducted a risk assessment and interviewed the vendor

• We added specific language on security vulnerability remediation to contracts

• We are in the process of transitioning formerly on-premise web sites to the cloud, which reduces risk to our network

Conclusion

• The Cloud has always been there, and it’s not going anywhere due to multiple factors

• You need to be able to reduce costs, but at the same time, increase service quality

• If you also take Governance, Security, Vendor Relationships, Disaster Recovery, and Workflow into consideration, you will be able to implement what your organization needs

23

Speakers

Chad Thiemann,

Privacy Director,

Information

Governance & Privacy

Operations, CVS

Health

Mitch Parker, Chief

Information Security

Officer, Temple

University Health

System