By Angela K. Dinh, MHA, RHIA, CHPS
In the past several years cloud computing has gained substantial recognition. However, it is still a relatively new concept for those in the healthcare industry.
Before adopting cloud-based services or applications, organizations need to understand how cloud computing works, the types of clouds available, and the pros and cons of using clouds.
How It Works
The National Institute for Standards and Technology defines cloud computing as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."1
Although it sounds simple, it is not. Exactly how cloud computing works can be complicated to describe.
In simple terms, think of a cloud in the sky. Within that cloud exist servers, applications, storage space, and databases, to name just a few of the technologies that can be provided in a cloud. Through the Internet, people access the cloud and the technologies it contains.
Clouds are managed by providers, who may or may not charge fees. Google, for example, offers Google Docs, which allows anyone to create and share documents on the Web for free. Because these documents live in the cloud, they can be accessed and edited from any computer or smart phone.
Organizations that use cloud services typically use more robust paid services. These are billed like utilities. Just as home owners are billed for the amount of water and electricity consumed, organizations are billed for the cloud services used.
Organizations typically identify and define which of their staff members have access to the cloud and which technologies they can use.
Types of Clouds
There are three basic cloud types based on user needs and preferences:
- Private cloud, which involves virtualized cloud data centers inside the organization's firewall. It can also be a private space dedicated to the organization within a cloud provider's data center.
- Public cloud, which involves virtualized data centers outside of the organization's firewall. Generally, a service provider makes resources available to organizations on demand over the Internet.
- Hybrid cloud, which combines aspects of both public and private clouds.2
The type of data an organization creates, manages, and maintains will determine the type of cloud it requires. Healthcare data such as protected health information (PHI) mandate privacy and security protections that warrant use of a private cloud.
However, whether clouds provide adequate privacy and security capabilities to protect PHI is debatable. Whether the cloud can meet the requirements mandated for data privacy such as those for the Payment Card Industry Data Security Standard and HIPAA will vary by vendor, consumer, and technical expert. Organizations should research and understand the vendor's capabilities before making any decisions.
Pros and Cons
As with any technology, there are pros and cons to using cloud computing. Some of the pros include:
- Cost. There are no upfront capital costs and fewer overhead expenses. The organization pays only for using the services; it saves on investment, maintenance, user licenses, and overhead such as electricity and rack space.
- Elasticity. Cloud computing acts like a rubber band. It can expand for volume and storage purposes as needed and at a rapid pace.
- Access. Access is immediate and available anytime from anywhere (as defined by permissions).
- Disaster planning and back-up. The cloud is resilient in natural disasters as it will continue to function even if the user's computers and systems crash.
Some of the cons include:
- Cost. Although the organization saves on capital investments and maintenance, the costs of its usage can skyrocket if it fails to monitor and manage access to the cloud.
- Performance. Cloud computing is scalable; however, performance depends on Internet speed and the number of users in the cloud at a given moment. If there is a spike in use, then the cloud may run slowly. A user can never tell if and when a cloud will be slow.
- Reliance on the Internet. The cloud relies on the Internet. If the Internet goes down, the cloud is inaccessible.
- Privacy and security. Safeguards do exist to protect the data of cloud consumers. However, the level of privacy and security provided is still in question. There is not enough information to prove or disprove the credibility of the cloud for privacy and security overall. Regarding its ability to safeguard PHI, the cloud needs further evaluation.
Organizations that use a cloud provider must take appropriate measures, as they should with any vendor. Contracts need to be appropriately negotiated and legal counsel consulted.
At a minimum, a contract with a cloud provider should include the following details:
- The security controls that will ensure privacy. Healthcare data must be protected to prevent data breaches and identity theft.
- Where the data will be stored. Other countries have different laws pertaining to privacy and data ownership.
- Data recovery procedures and data ownership. In the event the cloud service provider goes out of business, organizations must ensure all their data are returned and are not sold off to other businesses for data mining.
- The type of medical information to be stored. Certain file types such as images can consume large volumes of data storage and may cost more to store in the cloud than storing locally.
- Bandwidth and connection speed required to connect to the cloud. All users, especially busy physicians and clinicians, will get frustrated if the system takes too long to retrieve data.
Tom Walsh, CISSP
- The National Institute for Standards and Technology. "The NIST Definition of Cloud Computing." October 2009. Available online at http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc.
- Dummies.com. "Cloud Computing for Dummies Cheat Sheet." Available online at www.dummies.com/how-to/content/cloud-computing-cheat-sheet.html.
Angela K. Dinh (firstname.lastname@example.org) is a professional practice resource manager at AHIMA.
Dinh, Angela K..
"Cloud Computing 101"
Journal of AHIMA