Quick Summary

• Despite cloud computing being close to two decades old, some IT stakeholders are still nervous about implementing cloud-based solutions — especially for apps and services for sensitive data-driven health delivery organizations (HDOs).

• Because of well-publicized and large-scale cyberattacks against major organizations across the globe, HDOs’ guards are up and they’re scrutinizing any applications, medical devices, and mobile communication tools that aren’t completely under the control of enterprise IT.

• Cloud computing isn’t a boogeyman to be afraid of: HDOs and solutions providers should work together to leverage cloud capabilities for numerous business advantages. HDOs can now confidently evaluate solution providers, manage the acceptance process of new vendors, and securely manage the compliant solutions themselves.

Ransomware attacks on major organizations are a thorn in the side of every IT stakeholder in businesses of all sizes. Mainstream cloud computing is almost 20 years old, but despite not being the cause of cyberattacks, wide-scale migration away from solely on-premises, or on-prem, infrastructure is still enough to shake the confidence of IT stakeholders deploying newer solutions.

Most health delivery organizations (HDOs) have at least some investment in and operational dependence on the cloud, but wider reliance on cloud-based solutions still creates tension. Even if cloud computing often has nothing to do with hackers hijacking devices — including medical tools and equipment — the idea of being more connected to systems outside the complete control of enterprise IT stirs up nervous reactions.

But cloud computing is nothing to be afraid of. In fact, businesses disadvantage themselves when they leave additional cloud adoption on the table. Embracing cloud solutions combined with solid security postures can help safely and securely provide applications and services to HDOs. Given complex health IT infrastructure and shrinking resources for new rollouts and application management, the cloud is a godsend in terms of scaling, deployment speed, ease of maintenance, and total cost of ownership (TCO) benefits.

The Cloud Evolution: Can It Handle Health?

With almost two decades in the public eye, cloud computing has already become a mainstay in how organizations do business. But whether companies’ infrastructure are primarily on-prem or in the cloud doesn’t always come down to cost. “Cloud has the convenience factor going for it,” BlueSteel Cybersecurity CEO Ali Allage says. “It’s not meant to be a cost-effective solution; it’s just meant to be a scalable solution.

An organization’s cybersecurity posture isn’t defined by location so much as its capabilities, resources and use cases. “Most everything is going into cloud, and a lot of frameworks are adjusting and adapting to it,” Ali explains. But cloud security doesn’t make you more secure on-prem — with a hybrid solution composed of both, there’s just more environment, access control and open ports to lock down.

Eric Thorsen, CEO of ThorTech Solutions, agrees. When Amazon Web Services (AWS) introduced its Amazon S3™ back in 2006, it set the groundwork for the cloud competition we see today between AWS, Microsoft Azure, Google Cloud Platform (GCP) and Oracle. “It enabled businesses to compete,” Eric explains. “But if you’re not there now, it’s hard to keep up with your competitors because of the pace of innovation.”

The question — amid all this innovation — is whether these cloud companies are compliant and secure for the industries they serve, from fintech to healthcare. “AWS spent $8 billion on cybersecurity alone in 2021,” Eric highlights. On-prem companies will have trouble competing with these cloud titans. But regardless of whether organizations are on-prem or in the cloud, they need the same controls, staff, expertise, and processes for managing security effectively.

Big electronic health record (EHR) players like Cerner and Epic are at the forefront of cloud computing solutions. “Once you learn how to lock down a system in a certain way on a platform and the different features it has, you can now apply that to many other kinds of businesses,” Eric explains. “So I absolutely think that they are up to the task. … It’s just a matter of time before everybody is going to wind up being there.”

Service Providers Need to Educate Customers on Cloud

Few are in as unique a position as Jeff Richard, Chief Technology Officer (CTO) of Lone Star Communications, who has experienced HDO IT and operations from both customer and provider standpoints. As far back as 2013, Jeff was part of the leadership team at Texas not-for-profit health system Baylor Scott & White working on a project that required storing terabytes of data. Cheap cloud storage was the easy answer.

“We weren’t looking at the cybersecurity of what is tied to patients’ medical records,” Jeff says. Cyberattacks weren’t as prevalent. “There weren’t as many bad actors in the market.” But with the aforementioned rise of Epic and Cerner and their adoption of cloud technology, as well as the ubiquity of more cloud-based, user-focused applications across the healthcare industry, protected health information (PHI) has quickly become a top priority.

What Jeff learned from a customer standpoint is the need for service providers to educate and reassure customers that their decisions about their own solutions will be respected. But at the same time, it’s important to reinforce the implications of cybersecurity concerns. “Just because it’s in the cloud doesn’t mean it’s any more or less secure: It’s about the organization’s posture as a company, and abiding by the policies that they have in place,” he says.

It’s important that providers engage customers with up-to-date information and open and honest conversations about the handling of information. Additionally, “Lone Star is trying to get ahead of the integration power curve,” Jeff highlights. Risk and security assessment requests for simple procedures like renewing service contracts are on the rise. “We’re making huge efforts to improve our security posture (i.e. cybersecurity readiness) and be able to speak and demonstrate intelligently to our customers about what that posture looks like,” he says.

Getting the Value Proposition of PHI Right

PHI can make solution providers very nervous. However, failing to take advantage of what PHI offers is doing a disservice to customers and providers themselves. The decade-old world of error-prone, disparate systems and interfaces relying on manual patient data population is on its way out.

Tackling the problem from a business liability (rather than a cybersecurity) perspective might help. “It comes down to the value proposition on the data,” Ali explains. “If the data proves to be something that would greatly enhance the product — and the solution, risk, and liability of holding that data makes it worthwhile — it’s worth investigating.”

Privacy, confidentiality, compliance, and security concerns all play a part. “It is a journey of introducing better practices in terms of holding, encrypting, and ensuring that whenever data leaves, it’s encrypted in transit,” Ali says. With a SaaS platform application, even more questions bubble up. “How does the software handle the data? How does it interact with the systems behind that?”

Operating in the healthcare space amplifies these concerns. “When you’re touching that sort of information, you’re looking to produce an outcome that could potentially save lives,” Ali emphasizes. “It’s more of a greater insight [with] greater detail. Leave no stone unturned.”

Eric concurs and explains that customer reassurance on PHI has to be tangible — even amid indelible sales process friction. “Make sure there really is a value prop, because you’re going to be introducing not only the overhead of business liability but [also] the overhead of making sure you can prove to customers that you can be trusted with their data,” he says.

“Which risk are you willing to take and what is the benefit that you’re looking for?” Jeff asks. “If we’re really talking about saving lives, the ability to transmit data in a way that gives visibility to emergency departments [and] trauma teams increases the likelihood of high-quality outcomes for patients.”

Making the Process Better for Customers and HDOs

No provider is a stranger to customer due diligence — for both traditional in-person services and application-based services. But it doesn’t need to be painful for either party.

“We’re in a time where security is a concern,” Ali says. Because of this, “you see misguided, misdirected efforts in the form of questionnaires, with four or five compliance [frameworks] being regurgitated on a piece of paper.” Eric explains that these come from the desire of compliance officers to “eliminate the fear factor when building a solution.”

What both Ali and Eric are in agreement with is the need for conversations between customers and HDOs about why certain questions are important. When it comes to questions of liability and data loss prevention, Ali says it’s important to “collaborate on a direction that ultimately yields the best results for both sides.”

“A lot of it is education with the customer,” Jeff adds. “It needs to be a dialogue for both sides.”

Final Thoughts

Normalizing cloud adoption is a critical part of ensuring that dialogue between customers and providers takes place — and that HDOs are fully embracing the inevitable tide of technological transformation.

Working together to discard inaccurate biases around innovation is key to this transformation, and much “the innovation [itself] is also making [digital transformation] easier,” says Eric.

Such advancements likewise make it simpler to demonstrate tight security to customers and give them more reassurance — cheaper than before. Demonstrable value props are “no-brainers” and are “easier to engage,” Ali adds.

“Things are changing fast,” Jeff says. “Just keep educating.” Cloud solutions and adoption are going nowhere. The quicker HDOs who are educated about cloud’s benefits can embrace what it can do for them, the better everyone will be doing.

Kenny Schiff, a healthcare industry veteran, is the Founder of CareSight, a powerful alarm analytics-as-a-service company that delivers the information required to help hospitals manage their alarm, alert, and notification environments. In October 2022, CareSight was acquired by Lone Star and now operates as a majority-owned division of Lone Star Communications Companies.