It's time for cloud service providers to be considered trusted partners to healthcare delivery organizations. HDO CIOs should use this research to come to terms with concerns about security, privacy and service delivery to break through the barriers that are preventing full-partnered cloud adoption.
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Title: HIMSS Recap: Security Remains a Key HIT Concern (Gartner Reprint of "It's Time for Healthcare to Move to the Cloud")
1. This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
G00308719
Healthcare Providers: It Is Time to Trust Cloud
Service Providers as Partners
Published: 28 July 2016
Analyst(s): Gregg Pessin
It's time for cloud service providers to be considered trusted partners to
healthcare delivery organizations. HDO CIOs should use this research to
come to terms with concerns about security, privacy and service delivery to
break through the barriers that are preventing full-partnered cloud adoption.
Key Findings
■ CIOs are under pressure to adopt cloud services for reasons other than cost savings or
functional improvement, such as prime vendors moving to cloud-only solutions with no on-
premises options.
■ When able, healthcare delivery organization (HDO) IT leadership takes measured steps toward
the adoption of cloud-based services.
■ SaaS is the prevailing cloud model in use today by HDOs.
Recommendations
■ Work through the security, privacy and service delivery barriers that exist in the organization
surrounding cloud-based services.
■ Create a hybrid cloud strategy that includes a combination of private, community and publicly
hosted offerings to unlock the missing capabilities HDOs need.
■ When comparing vendors, look for healthcare-specific cloud service partners.
Analysis
A Matter of Trust
HDO CIOs have stepped lightly into the world of cloud-based IT services for both infrastructure and
application solutions, and with good reason. There has been a general reluctance to embrace cloud
offerings, particularly for protected health information (PHI), due to concerns over Health Insurance
2. This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
Portability and Accountability Act (HIPAA) readiness and security. This reluctance is now unfounded.
In most cases, cloud service providers (CSPs) have more robust and comprehensive security
practices and security talent than are available to most HDO IT departments. Cloud services have
matured, as have the practices for cloud-using organizations, and the time has come for HDOs to
recognize cloud service providers' strengths and consider cloud-based hosting services as a viable
regulation-acceptable IT service delivery model.
Much of the HDO CIOs' hesitation to fully embrace the cloud has to do with trust. This is
understandable when considering that, for the past decades, HDOs have relied on internal IT
departments managing services running from HDO-owned or -controlled data centers. Hospital
leadership has established a trust relationship with the IT department. This trust relationship has
three layers, as depicted in Figure 1. The first is between HDO senior leadership and the CIO, the
second is between the CIO and the IT staff and the third is between the IT staff and the vendors that
provide the hardware and software. All three trust relationships are built based on the successful
evolution of service delivery over time.
Figure 1. Levels of Trust
Source: Gartner (July 2016)
Page 2 of 8 Gartner, Inc. | G00308719
3. This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
Just under 1,600 PHI breaches impacting 500 or more individuals were tracked by the U.S.
Department of Health and Human Services (HHS) over the last five years.
1
Two hundred of those
were hacking events, and out of those, only one CSP was identified. It was not for a PHI disclosure,
but because there was a possibility it had allowed a virus injection attack on systems that contained
PHI. All of the other registered breaches were due to security failures at the HDO. This should no
longer be considered a surprise. From a technical and operational perspective, CSPs are executing
at a very high performance level. They have invested in top-tier infrastructure and built state-of-the-
art data center facilities managed by the industry's best talent on a 24/7 basis. Their ability to
deliver infrastructure and application services to the HDO is better than the HDO's own IT
department.
The cloud vendors are working hard to prove that their services are reliable and trustworthy, with a
growing number of them maintaining formal third-party security evaluations, such as International
Organization for Standardization (ISO) 27001 and Service Organization Controls (SOC) 2. The
healthcare market is a lucrative, mostly untapped market for them, and they cannot afford any
missteps. A growing number of cloud vendors have moved forward with offering business associate
agreements (BAAs) to show that they stand behind their HIPAA-ready security infrastructure,
methods and policies.
To further demonstrate their trustworthiness, CSPs have mechanisms to make their service delivery
performance transparent to their customers. Almost every agreement to host services in the cloud
includes an SLA that provides negotiated availability for services provided. They are typically
measured by starting with the agreed hours of availability in a time frame (monthly) and subtracting
from that the duration of incidents incurred during the month, then dividing by agreed hours, ending
up with a percentage. For example, an availability figure of 99.99% means the CSP is allowed 52.56
minutes of unexpected downtime in a year, and 99.999% equals 5.26 minutes of downtime in a
year.
These mechanisms are how HDO CIOs and IT leadership measure trust. Independent security
evaluations, commitment to maintain BAAs and service delivery at a level within the agreed-to SLA
over time are key. When put in perspective and compared with how the trust relationship was
established back when x86 servers took over from midrange and mainframe systems, or virtual
machines replaced physical servers, there is a direct parallel. It took everyone witnessing the
dependable service over time to establish trust in those IT paradigms. It is time that HDO CIOs
allow CSPs to join the trust level that in-house vendors have been occupying, and consider their
potential in partnering with them to deliver IT services needed for the HDO. Instead of worrying
about whether or not public cloud services are secure or not, HDOs need to start developing their
strategies for public cloud use (see "Cloud Strategy Cookbook") and ensure that they have the
people, policies and processes to apply those services effectively and securely (see "Clouds Are
Secure: Are You Using Them Securely?").
Hybrid Approach to Cloud Strategy
With the barriers to cloud adoption being addressed, a full assessment of cloud service offerings
will lead to the creation of an enterprise cloud strategy and architecture. This approach will unlock
the value of cloud-based services for the HDO, bringing the HDO IT department all of the flexible,
Gartner, Inc. | G00308719 Page 3 of 8
4. This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
elastic compute and storage capabilities that have been missing. When answering the question
about how to integrate cloud services into an existing set of infrastructure and software services,
careful review of enterprise and application architecture needs to be taken into consideration. No
one cloud service platform will address all of the needs of an HDO. The combination of the various
platforms into a single solution is referred to as a hybrid approach. The cloud strategy should
include a tiered approach to application placement within the various cloud platforms, based on the
usage and operation of each application. This tiered approach is similar to tiered storage solutions.
In a tiered storage architecture, the type of storage used is tied to the application's requirements for
data storage and retrieval. This can be based on factors like retrieval speed or the type of data
being stored. The same is true for tiered hybrid cloud strategy. The type of cloud services chosen
should match the application's use. The hybrid strategy will include locations such as:
■ Internal data centers
■ Colocated data centers
■ Remotely hosted services
■ Public cloud infrastructure as a service (IaaS)
■ Platform as a service (PaaS)
■ SaaS
Integration of these placement options needs to be architected for current requirements, as well as
projected growth and service evolution over time. Services that run from each of the various
locations with the architecture will need to interoperate. Planning for those communication
pathways needs to be a key component of the hybrid architecture and needs to take into
consideration the same security and privacy concerns addressed by the cloud partners (see "Hybrid
Architectures for Cloud Computing" for more detail).
Healthcare-Specific Cloud Providers
As the cloud strategy forms, HDOs will begin to shortlist vendors for selection as potential partners.
Follow published Gartner guidelines when considering various vendors:
■ Use the same criteria for establishing a trust relationship that you would for other services.
■ Only do business with CSPs that will sign a HIPAA BAA or to regional counterparts, European
Data Protection Days (EDPD) 95/46/EC.
■ Use the "sweet spot" approach to narrow down vendor selection (see Note 1).
The list below presents a few of the CSPs that specifically service the healthcare provider
community, will provide a BAA and have already become trusted partners of many HDOs. The
vendors listed provide a variety of service offerings, including public and private IaaS, public and
private PaaS, remote hosting capability, and managed services, such as backup and recovery
services and disaster recovery services (see "Market Guide for Cloud Service Providers to
Healthcare Delivery Organizations").
Page 4 of 8 Gartner, Inc. | G00308719
5. This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
■ Amazon Web Services (Health and Cloud Computing)
■ ClearDATA
■ Connectria (Solutions)
■ Hosting (Hosting Healthcare Cloud)
■ Microsoft Azure
■ Velocity Technology Solutions (Healthcare)
Gartner Recommended Reading
Some documents may not be available as part of your current Gartner subscription.
"Market Guide for Cloud Service Providers to Healthcare Delivery Organizations"
"Clouds Are Secure: Are You Using Them Securely?"
"The Top 10 Cloud Myths"
"How to Evaluate Cloud Service Provider Security"
"Preparing the In-House IT Organization for Public Cloud"
"Solution Path for Implementing a Public Cloud Adoption Maturity Plan"
"Hybrid Architectures for Cloud Computing"
"Speed Up Cloud Service Selection Using a Deal 'Sweet-Spot' Analysis"
Evidence
1 See U.S. Department of Health and Human Services Office for Civil Rights Breach Portal: Notice to
the Secretary of HHS Breach of Unsecured Protected Health Information.
Note 1 Sweet-Spot Checklist
Although this checklist is centered on IaaS, it applies well to other cloud service offerings.
1. Fit of service offerings
■ Does the offering meet your public or private cloud business processing requirements?
■ Can it be operated and self-managed, and can it be provided as a managed service, if
required?
■ What is the general track record of the IaaS provider in delivering services to your local
area?
Gartner, Inc. | G00308719 Page 5 of 8
6. This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
■ Will the IaaS hardware platforms support your typical test and production environments,
and are they consistent with your enterprise's architectural requirements?
■ Can the offering deal with in-country location constraints for storing and processing your
data?
■ Can the WAN and LAN capabilities meet the minimum performance requirements to make
the IaaS offering technically viable in the locales you have offices in?
■ Can the IaaS provider provide an appropriate level of help desk support?
2. Scale of services deal
■ Does the IaaS provider have a range of clients with similar production scale, complexity
and/or test processing requirements that run on the proposed IaaS platform?
■ Is the IaaS offering readily scalable to meet your current and future needs?
■ Is the network access readily scalable to meet your current and future needs?
■ Does the vendor have the financial capability to sustain funding for this level of scalability?
■ Are the IaaS architecture and infrastructure designed to be easily shareable with many
enterprise or public users?
■ What is the licensing impact of running your application and database software on a
scalable shared platform? Is it commercially viable to change your licensing arrangements?
■ Can the IaaS operating environment support your required recovery time and recovery point
objectives?
3. Maturity of service delivery processes
■ Does the IaaS provider have a good track record of delivering the required services at
consistent levels of availability and performance to meet your application response time
requirements?
■ Are its managed service offerings delivered according to industrial-strength operational and
quality processes, such as ITIL V3 and Six Sigma?
■ Does the provider use common toolsets to deliver help desk services to all its clients, and
monitor and report on the quality of your service?
■ Is there a service dashboard available to give you visibility of ongoing performance and any
problems?
■ Are its contract terms and conditions fixed (which is fine for testing), or can you configure
them to meet your enterprise's commercial requirements?
■ Will the provider guarantee to meet your minimum service-level requirements and pay
penalties if it doesn't?
■ Can the IaaS provider guarantee the security and privacy of your data and related
processing?
Page 6 of 8 Gartner, Inc. | G00308719
7. This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
This research note is restricted to the personal use of romy.ribitzky@velocitycloud.com
4. Cultural compatibility
■ Is the provider used to working with client organizations like yours, and is it easy to do
business with?
■ Do you need the provider to have people who understand the nuances of working in your
industry? If so, does it have staff who understand the nuances of working in your industry?
■ For large-enterprise requirements, can they allocate a specific relationship and service
delivery manager resource to work with your service management team on a regular basis?
5. Flexibility in dealings and the extensibility of solutions
■ Is it easy to scale the IaaS services up, as well as down, both physically and contractually?
■ Can the provider or its channel partner deliver other cloud-based project and technology
implementation services you might need?
Gartner, Inc. | G00308719 Page 7 of 8