Adam Stern | Health IT Outcomes
This is the second of a two-part series. Check out part one here
Healthcare delivery is complex enough; most medical practices would prefer not to wade into the fog of IT, especially given just how obtuse the tech world has become. For those practices making the shift from an in-house solution to the cloud, getting the language right is crucial. Familiarizing yourself with some basic terminology won’t turn you into an expert, but it can provide a grounding in the fundamentals which can make you a wiser IT consumer and perhaps a more savvy user.
Public Cloud? Private Cloud? Hybrid Cloud?
As the cloud has expanded, it more or less subdivided: private (that is, proprietary or internal to one organization), public (in which service providers make applications and storage available to any business over the Internet, typically for a monthly usage fee), and hybrid (a blend of both). Put another way, some of your workload is under your control, some outside of your control, and some situations mix the two.
These days, the hybrid cloud is ubiquitous. The majority of organizations rely on servers and computers, and some data resides on various desktops, some is stored with Apple or Dropbox or Microsoft, and some organizations have embraced Infrastructure as a Service (IaaS) or Software as a Service (SaaS) — both explained in more detail below.
Understand there’s nothing really new about the hybrid cloud. As bandwidth has increased, organizations of all shapes and stripes have been shifting workload to the Internet. Public compute space and private compute space coexisted long before anyone bothered to come up with a meteorological metaphor. Compute on-premises, store off-premises — we’ve all been there and done that. The bottom line is you can’t not be in the cloud these days. Slapping a term like “hybrid” is just a faddish way to package a long-established status quo.
The right questions aren’t, “Should I go on or off premises?” and “Should I opt for the hybrid cloud, the public cloud, or a private cloud?” The smart question is, “What’s strategically best for my medical practice?” When you frame the query in that manner, you can determine where to place your compute power and begin to gain control over the dynamic. Want to reduce costs? Increase efficiencies? Achieve some other objective? Go back to basics. First, decide what your metrics are and how they serve the business, then select the technology.
SaaS, IaaS, PaaS
At its most basic level, IaaS enables medical practices to move all or part of their compute environment to the cloud (that is, off premises), and to make the migration without modifying any of their existing applications. The market is now awash in IaaS tools and technologies, empowering medical practices that may lack traditional computing resources to benefit from robust products and platforms.
In the mushrooming world of the cloud, IaaS is distinguished from two other “as a service” models — Software as a Service (SaaS) and Platform as a Service (PaaS). Without getting mired in terminology, SaaS is essentially a software rental model, where individual applications are hosted — again, off-premises — for a monthly subscription fee. All users need is a web browser and they’re good to go.
Platform as a Service (PaaS) is somewhat more ambitious while remaining steadfastly user and application-specific. PaaS is ideal for medical enterprises writing applications specific to their business, and they don’t need to build and maintain the infrastructure usually required to develop and launch an app. PaaS makes it possible, even easy, to develop applications rapidly with little technical know-how, applications that aren’t intended to be sold but that run on a single, captive platform. If the platform for which the app was written changes or ceases to exist, however, users are out of luck. With PaaS, internal development teams are compelled to ride the IT rollercoaster, forever investing and reinvesting in platform-specific application development.
IDPS, DDoS And HIPAA: The Alphabet Soup Of Security
For medical practices operating in the age of HIPAA, security is process, not an event — a mindset, not a matter of checking boxes and moving on as one might on a medical claim form. As Wirednoted following the global WannaCry ransomware attack, “Hospitals are the most common target of ransomware — because the stakes are literally life and death, computer users are particularly likely to pay to regain access to their machines.” Sound security planning requires assessing threats, choosing tools to meet those threats, implementing those tools, assessing the effectiveness of the tools implemented, and repeating this process on an ongoing basis.
At minimum, what steps must medical practices take? Measures like clustered firewalls, multi-factor authentication — that is, “layered” passwords — and intrusion detection and prevention systems (IDPS) which go above and beyond traditional firewalls. Increasingly, threats are emanating from Distributed Denial of Service (DDoS) attacks on hosting providers and from massive volumetric attacks. These attacks are something new and particularly troubling, and no single firewall can stop them — especially when the attacks are originate from connected devices.
Volumetric attack protection technology is emerging as a way to mitigate these attacks; it automatically analyzes DDoS alerts and issues routing commands to ensure immediate action is taken when legitimate DDoS attacks are detected — all without any human intervention. Volumetric attack protection is not a panacea, but it points to a promising solution set for medical practices and, indeed, for any cloud deployment.