Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HC3 Kickoff presentations - June 19, 2014


Published on

Slides from June 19th HC3 Kickoff meeting

HC3 Overview Adam Greene
What is the Cloud?   Hemant Pathak
The Disruptive Cloud Anish Sebastian
The Practical Cloud Pete Celano

Published in: Healthcare, Technology, Business
  • Be the first to comment

  • Be the first to like this

HC3 Kickoff presentations - June 19, 2014

  1. 1. Networking Breakfast Presentations Start at 9AM ET
  2. 2. Logistics & Agenda Grant Elliott CEO, Ostendio, Inc. @HCCColaition #HC3
  3. 3. @HCCCoalition #HC3 Event Sponsors
  4. 4. @HCCCoalition #HC3 Agenda 8:30am Networking breakfast (sponsored by Davis Wright Tremaine LLP) 9:00am HC3 Overview Adam Greene 9:30am What is the Cloud? Hemant Pathak 10:00am The Disruptive Cloud Anish Sebastian 10:20am The Practical Cloud Pete Celano 10:40am Panel Discussion & QA Moderated by Shahid Shah (Hemant Pathak, Chad Kissinger, Sandeep Pulim, Adam Greene) 11:30am HC3 Wrap up Adam Greene Noon End
  5. 5. @HCCCoalition #HC3 Questions & Comments Send questions to @HCCCoalition #HC3
  6. 6. Addressing Regulatory Challenges of Bringing Health Care to the Cloud Adam H. Greene, JD, MPH Partner, Davis Wright Tremaine LLP
  7. 7. @HCCCoalition #HC3 The Challenges Cloud computing and cloud-based mobile technology can improve health care and reduce costs, but…
  8. 8. @HCCCoalition #HC3 The Challenges Health care is not fully leveraging cloud technology because of lack of trust in information security
  9. 9. @HCCCoalition #HC3 The Challenges Where health care entities leverage cloud computing, there are too many inefficiencies: A sea of different information security questionnaires Confusion and disagreement over business associate agreement terms Confusion over information security responsibilities
  10. 10. @HCCCoalition #HC3 The Challenges A lack of HHS guidance on how HIPAA applies to cloud computing: What if cloud vendor was unaware it was hosting PHI for a covered entity? No guidance or audit protocols specific to business associates How to handle patients rights and breaches when you may not know what information you have
  11. 11. @HCCCoalition #HC3 The Challenges The price of entry for small companies into health care is too high because of this confusion.
  12. 12. @HCCCoalition #HC3 The Mission of HC3 Reduce obstacles to the health care sector leveraging cloud computing technology. Promote innovation by reducing health care compliance burdens on health care technology companies.
  13. 13. @HCCCoalition #HC3 The Objectives of HC3 1. Understanding – Create an accepted framework for health care and cloud computing
  14. 14. @HCCCoalition #HC3 The Objectives of HC3 Develop internal guidance on how HIPAA applies to cloud computing.
  15. 15. @HCCCoalition #HC3 The Objectives of HC3 Develop tools, such as: Sample business associate agreement provisions, to address unique cloud computing issues Notices that clearly identify each party’s security responsibilities A self-audit protocol for cloud computing providers
  16. 16. @HCCCoalition #HC3 The Objectives of HC3 Work with health care providers and other associations (e.g., HIMSS, Cloud Security Alliance) to obtain feedback and promote the tools and guidance.
  17. 17. @HCCCoalition #HC3 The Objectives of HC3 2. Trust – Build trust in cloud computing and regulatory compliance through an accepted accreditation/certification process or other programs.
  18. 18. @HCCCoalition #HC3 The Objectives of HC3 Certification needs to be: Focused on health care (e.g., HIPAA, Alcohol and Substance Abuse Treatment Confidentiality) Focused on cloud computing Scalable (e.g., works for both large IaaS provider and small SaaS provider that does not host its own data)
  19. 19. @HCCCoalition #HC3 The Objectives of HC3 Not looking to reinvent the wheel.  Adopt and promote any existing or upcoming certifications/accreditations that meet our needs.  Tweak any existing certifications/accreditations that get us 90% of the way there.
  20. 20. @HCCCoalition #HC3 The Objectives of HC3 3. Government Outreach – Seek regulatory guidance from HHS and other relevant agencies. Maintain outreach and transparency with the government.
  21. 21. @HCCCoalition #HC3 The Objectives of HC3 4. What else?
  22. 22. @HCCCoalition #HC3 Next Steps? Learn from others today about the benefits and challenges of cloud computing in health care. Discuss the scope of what HC3 will initially take on. Incorporate and set up structure for membership dues. Volunteers
  23. 23. Health Care Cloud Coalition Legal considerations with cloud computing A View From The Cloud Vendor. Insight on the HIPAA Omnibus Rule, Cloud Privacy & Security, and HIPAA Enforcement Hemant Pathak, Assistant General Counsel, Microsoft
  24. 24. @HCCCoalition #HC3 What are the types of cloud model we are going to discuss today?  Enterprise Cloud  Three types of cloud services: SaaS, PaaS, IaaS  Public, Private, Hybrid  Always available  Per user, consumption buying model  Data and services with a common delivery model in shared data centers  Different from traditional “outsourcing”
  25. 25. @HCCCoalition #HC3 Why do customers choose cloud services?  On demand scalability, reliability and flexibility of computing resources, updates, interoperability and tech support  Reduction of infrastructure costs & complexities at very large economies of scale across the board (electricity, network bandwidth, operations, SW & HW).  Organizations can “get out” of the Data Center business  The right vendor can address state of the art security & privacy protocols to help customers address their compliance requirements in a highly regulated industry
  26. 26. @HCCCoalition #HC3 From the cloud service provider (CSP) perspective – what are contracting expectations?  Cloud services are configurable, but generally not customizable  SLA, Service Descriptions, Security Descriptions  Contract terms that require unique requirements for service for one individual subscriber are not scalable  Pre-Sales CSP & customer partnership and due diligence on contract terms and solution alignment reduces risk now and in the future for both parties  Ensure compliance with laws and corporate policies  Protect brand and reputation for both parties
  27. 27. @HCCCoalition #HC3 From the customer perspective – what are contracting expectations? Where and how is data stored?  Clear data maps and geographic boundary information Data must be encrypted wherever possible Who has access and what is accessed?  Core customer data must be accessed only for service delivery, troubleshooting, migration and malware prevention purposes on an exception basis and all access should be logged Who owns data?  The Customer. Data must be fully portable and retrievable Who pays for costs related to security breaches?  Commercial term addressed by the parties
  28. 28. @HCCCoalition #HC3 Security & Privacy – How do you get assurances?  Security  Physical Data Center standards  Secure Networks  Automated operations  Robust breach prevention, detection and mitigation  Compliance -Cloud Service Providers (CSP) should address regulatory standards  E.g. - ISO 27001, HIPAA BAA  Federal Trade Commission  Watchdog groups  Healthcare agencies  DHHS  Independent Audit & Verification
  29. 29. @HCCCoalition #HC3 What are questions Customers ask a potential CSP?  Security & Privacy Compliance  Does the cloud vendor offer a BAA  Does the BAA contain all required HIPAA terms  Does the CSP stipulate to comply with breach notification rule, timely reporting, appropriate and transparent limitations on use & disclosure and “minimum necessary”  Embedded technical, physical and administrative safeguards in support of HIPAA  Data mining – will my cloud provider use my data for advertising, marketing or other commercial purpose w/o my consent  Does CSP have transparent and robust process on addressing third party requests for data?  Clinical centered care strategies  Compliance across collaboration modes through audio, video & messaging  HealthCare Enterprise Ready
  30. 30. @HCCCoalition #HC3 What are consequences of non- compliance?  Phoenix Cardiac Surgery  Fined $100,000 by DHHS for failure to obtain a BAA “Covered Entity failed to obtain satisfactory assurances in business associates agreements from the Internet-based calendar and from the Internet-based public email providers that these entities would appropriately safeguard the ePHI received from Covered Entity.”  Oregon Health & Science University  Negative PR stemming from breach involving storing a spreadsheet of patient data with cloud service which was not a business associate.  DHHS Regulator Quotes “If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don't use the cloud service.” “…cloud services [are] under direct regulations of HIPAA…,"
  31. 31. @HCCCoalition #HC3 Conclusion  Health Care Providers moving to the cloud want to choose a CSP that has been proven trustworthy and that they can trust.  Transparency about compliance, security and privacy practices and use of data is the key to trust.  Transparency allows customers to determine whether using a given cloud offering helps them to be compliant with applicable regulations and corporate policy.
  32. 32. @HCCCoalition #HC3 QUESTIONS?
  33. 33. The Disruptive Cloud – How the cloud is helping me drive innovation Anish Sebastian Co-founder 1EQ
  34. 34. @HCCCoalition #HC3 The Cloud
  35. 35. @HCCCoalition #HC3 The Cloud = 10X Improvement!  Ease of Use  Scalability  Risk and Reliability  Cost  Security  Connectivity
  36. 36. @HCCCoalition #HC3 Ease of Use
  37. 37. @HCCCoalition #HC3 Ease of Use  Deploy infrastructure quickly with no need for system admin  No cabling, racking, unboxing or buying  Software now controls the infrastructure  Control your servers with the click of a mouse
  38. 38. @HCCCoalition #HC3 Scalability
  39. 39. @HCCCoalition #HC3 Scalability  Can adjust to min by min variation in demand  Nothing to purchase and take delivery  Increase innovation, by removing “too scared to try” syndrome  Go global in a matter of seconds (co-location)
  40. 40. @HCCCoalition #HC3 Risk and Reliability  Cancel immediately  Change instantly, even OS  Rebuilt instantly  No long term contracts  Based on enterprise grade hardware  Employ best practices in IT:  Design for failure  Control framework  Disaster recovery
  41. 41. @HCCCoalition #HC3 Cost  Pay for only what you use – nothing up front and pay as you go  Zero cap Ex = lower burn rate = happy investors!  Cloud has economies of scale, business model based on volume not margin  Since we started using amazon, prices have gone down
  42. 42. @HCCCoalition #HC3 Security  Architected for enterprise security requirements  More than likely more secure than what you can normally build yourself  AWS White paper on HIPPA  Ability to quickly fix security holes and keep up with new compliance standards.
  43. 43. @HCCCoalition #HC3 Being an “aaS” SaaS – Software as a Service PaaS – Platform as a Service IaaS – Infrastructure as a Service
  44. 44. @HCCCoalition #HC3 The Cloud Pyramid Broad Niche
  45. 45. @HCCCoalition #HC3 The cloud Pyramid Developers Users Network Engineers
  46. 46. @HCCCoalition #HC3 The cloud Pyramid Google Apps, Heroku, Salesforce Windows Azure SendGrid, Mailchip, Twilllio Zendesk, ……..a lot more Amazon, Racksapce
  47. 47. @HCCCoalition #HC3 The cloud Pyramid – Applications long tail effect. • The long tail is directly an impact of the cloud. • They all talk to each other.
  48. 48. @HCCCoalition #HC3 Connectivity  This long tail of products connect to the cloud via API  It has fueled a new era of API  Allows for various SaaS companies to stitch together a whole series of services generally via API  Everything is connected to everyone
  49. 49. @HCCCoalition #HC3 Differentiation  Bottom Line:  The cloud allows you to focus on what truly makes you different  Let’s you outsource commoditized services and services that are not your core competencies.
  50. 50. @HCCCoalition #HC3 What does the future look like?
  51. 51. The Answer is in the Cloud Pete Celano MedStar Institute for Innovation
  52. 52. @HCCCoalition #HC3 Mission  Extend Access to the Poor/Rural  Reduce Costs  Better Outcomes  New Revenue
  53. 53. @HCCCoalition #HC3 New World  Old World: EMR(s) is what you have  New World: Innovate “north” of the EMR. And bolt-in.
  54. 54. @HCCCoalition #HC3 Focus Areas 1. Capacity Utilization 2. Extending the Site of Service 3. Flowing Data to Docs
  55. 55. @HCCCoalition #HC3 5-Step Process 1. What problem are we trying to solve, and RoI? 2. Balance Sheet Test 3. Our BAA 4. Pilot Fast 5. Take it Wide if Pilot Works & Economics are Verified
  56. 56. @HCCCoalition #HC3 Five Predictions 1. Only more inventors will run-not-walk to healthcare 2. EMR vendors will be acquiring right & left in 2015 and beyond 3. Solutions will start breaking Provider-only and Provider-Payer (“Provayer?”) 4. Virtual Visits will take off like a rocket 5. Apple’s HealthKit et al will finally make Remote Patient Monitoring relevant.
  57. 57. Panel Discussion and Q&A 10:40AM – 11:30AM • Hemant Pathak (Microsoft) • Chad Kissinger (OnRamp) • Sandeep Pulim (@Point of Care 360) • Adam Greene (Davis Wright Tremaine LLP) - Moderated by Shahid Shah, Netspective