Ken Ong, M.D., chief medical informatics officer for New York Queens Hospital, New York Presbyterian and iHT2 advisory board member who participated in the iHT2 Health IT Summit in New York City, joined SearchHealthIT to discuss how cloud computing and virtualization affect health care organizations.
How is cloud different from virtualization projects, or is there a difference at all? What do people mean when they say 'cloud?'
Ken Ong: The National Institute of Standards and Technology (NIST) has published the most comprehensive definition of cloud computing to date: 'Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.'
The NIST definition includes:
- Five essential characteristics: on-demand self-service, broad network access, resource pooling and rapid elasticity;
- Three service models: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS); and
- Four deployment models: private cloud, community cloud, public cloud and hybrid cloud.
In essence, someone else owns and manages the servers that house your software application.
How can cloud services be used in health care? With the popularity of mobile devices like smartphones and tablets aiding doctors in their practice of medicine, is the cloud a natural extension of access to wireless networks, or is there another leap of faith involved on the part of hospital IT administrators to incorporate the cloud?
Ong: The cloud includes but also goes far beyond the walls of the hospital and the doctor's office. Providers and patients can use smartphones for secure health messaging. Providers can access their electronic health record (EHR) on a tablet, and patients their patient portals or personal health records (PHRs). While a provider may do mobile charge capture on a smartphone, a patient may send a blood pressure or glucose level.
IT administrators need look no further than how they use the cloud themselves to do email, social networking, shopping, board airplanes and the ever-growing list of use cases for this technology.
The real value to health IT administrators, though, is how mobile technology can serve patient care by engaging patients, improving care coordination and providing access to health care information at point of care.
In what ways can data be shared through the cloud, and do you believe this will become a more normal way of sharing information in health care? What role does information exchange play in fostering cloud development in the hospital setting?
Ong: Health information exchange (HIE) means giving access to hospital test results to community physicians, sharing summary of care documents to physician offices or long-term care, and maintaining cancer and other disease registries. HIE can populate the ambulatory medication list for medication reconciliation and enables public health reporting (e.g., syndromic surveillance, immunizations and reportable diseases).
As IT matures and transforms health care, HIE will become the 'new normal' of the future.
Will security always be an obstacle for the growth of cloud services in health care? There have already been a wide range of highly publicized health data breaches in the last few years; does the use of cloud applications mitigate or further allow potential data breaches?
Ong: Indeed, a quick glance at the Health & Human Services Department 'Wall of Shame' reveals that many of the breaches affecting 500 or more individuals were due to the theft of laptops. Security is a huge concern for mobile devices.
HIMSS and mHIMSS have published a white paper focused on security, Security of Mobile Computing Devices in the Health care Environment. The paper suggests 13 questions health care organizations should ask themselves before deploying mobile computing devices:
- Does your organization currently have a policy for use of smartphones in your environment (set expectations)?
- Will you allow synchronization of email/data over the air or via workstations?
- Will you allow smartphones to connect to your internal Wi-Fi network? Guest Wi-Fi?
- Are you looking for asset control -- information regarding the number of smartphones connected to your network -- and the types of devices connected?
- Will you require password controls with minimum length and complexity?
- Do you want to lock/remote wipe devices after 'n' number of login attempts?
- Will you require inactivity timeouts?
- Is device encryption required in your environment for data in transit or at rest? What level of encryption is supported, and how are the keys managed?
- For lost or stolen devices, or when someone leaves the organization, will you be remote wiping the device?
- Are you considering developing or enforcing an 'Enterprise Applications Store?'
- Do you need to routinely enforce compliance for connected devices with your policy, and disconnect non-compliant devices?
- Can your existing NAC (network access control) mechanism extend to mobile computing devices?
- What liability considerations do you have? Will you support personally owned devices, as well as corporate-owned? Will exceptions be allowed? If so, what is the documentation process necessary? You must demonstrate that you have clearly set expectations with users who may not be expecting a remote wipe of a personally owned device. Employee signoff is highly recommended.
If proper attention is paid to addressing security, we can derive value from the cloud in a safe and secure manner.
This was first published in October 2012