The state of hybrid IT in healthcare

IT executives at healthcare organizations are reluctant to move elements of their infrastructure to the cloud, even if some is left on-premises.

However, this structure, known as hybrid IT, has quickly become the reality for most other industries, with 92 percent of IT professionals recently survey by SolarWinds saying adopting cloud technologies is important to their company's success, but 60 percent noting it's unlikely their total IT infrastructure will ever be migrated to the cloud.

In the healthcare industry, however, concerns over security make the move to the cloud a challenge because the process and end result can include risks and compliance issues. For this reason, the healthcare industry's cloud adoption lags behind other industries. Let's explore this further, along with some best practices for implementing hybrid IT in a healthcare environment.

Weighing the Pros and Cons of Hybrid IT in Healthcare

As more patient data becomes digitized and the volume of that data rises, the cloud becomes an increasingly appealing way to manage capacity and growth, all for a lower total cost of ownership than a strictly on-premises strategy could offer. Additionally, hybrid IT allows companies, especially those with multiple time zones and varying levels of activity throughout the day and night, to provision their compute needs and reduce downtime or latency.

Also appealing is how modern hybrid IT strategies can help healthcare organizations in many countries, including the United States, comply with data residency regulations, which require companies in France, for example, to keep all sensitive data on servers inside their own country. To solve this five to ten years ago, companies would place miniature data centers regionally, writing applications that would ensure the correct data would be pulled for the right needs at the right time. Now, with a hybrid IT environment, Amazon Web Services, for example, solves this issue with availability zones, where all data in the data center appears as one contiguous set assigned to certain cloud regions. From a compliance standpoint, availability zones are the one of the biggest benefit to healthcare organizations because they don't allow specific datasets to move around in noncompliant ways.

Today, Brexit adds even more complications to this equation that hybrid IT can help alleviate. The United Kingdom (UK) and European Union have yet to define which data residency standards the UK will follow, so with a hybrid IT strategy, companies can both work with today's current regulations climate, but also be able to quickly pivot should the laws change. Without hybrid IT and a cloud strategy, IT professionals in healthcare organizations will have to spend countless hours and dollars rewriting applications to fit updated standards.

As sure as hybrid IT simplifies data residency and provides easier and more cost-effective ways to manage increasing medical data, there are certainly challenges to consider as well, such as ensuring the availability of cloud services without direct control over them. At the end of the day, healthcare organizations' in-house IT Professionals are still responsible to ensure the performance of all the network connections their organizations rely on, whether they own the networks or not. In essence, they have become responsible for not only their networks, but the networks of cloud and SaaS providers and the networks of their ISPs.

Thus, they can end up having cloud-based applications dependent on multiple networks over which they have no visibility into and thus no authority over. These applications may range from simple things such as a website or remote web service, all the way up to a complex mission critical application, which in the healthcare world, can truly be life or death.
Another obvious concern is the ever-increasing need to secure electronic personal health records, which also ties into HIPAA privacy law compliance. A key challenge is that the classic security model of confidentiality, availability and integrity looks different in a hybrid IT world. By definition, hybrid IT takes data that was in an on-premises data center and spreads it across the internet. How does one ensure confidentiality if data is entered into a vendor's application and that data is then shipped across the world to data centers with different local regulations on data security? Application-level encryption in transit, typically TLS, can help, but just because the data was transported securely doesn't mean it will be stored securely.

The same thing applies to the integrity of data. How does one ensure the data stored out of one's control doesn't get modified? Even in complete on-premises deployments, it's rare for IT departments to have programs in place to ensure and audit the integrity of data stored. To be fair, it's much easier to find news about data breaches from on-premises deployments than from public cloud or SaaS vendors.

At the end of the day, healthcare IT executives are faced with somewhat of a catch-22: innovate to keep pace with other industries but potentially risk downtime or a data breach, or remain technologically stagnant while complying fully with healthcare privacy regulations and perhaps even beyond but suffer from a lack of innovation and the efficiency and effectiveness benefits that come along with it.

Best Practices

The reality is there is no one-size-fits-all resolution. Every healthcare organization is different and needs to weigh the adoption of the cloud and hybrid IT based on need, benefit and risk. With that said, for any who are planning to adopt a hybrid IT strategy or perhaps already have, it's important to follow the below best practices to ensure a smooth cloud transition, implement proper performance management of a hybrid IT environment and remain as compliant and secure as possible while also reaping the benefits of the cloud.

  • Build a roadmap: Remember, there is no catch-all answer to cloud migration; it's different for every healthcare organization, and is often a multi-year journey. The best thing for any It department considering a move to the cloud to do is to build a roadmap. As part of this, they should be informed to make smart decisions when it comes to cloud, even if the decision is to not transition to the cloud
  • Support legacy systems. One should not assume that the cloud will solve all problems. It's more than likely that an organization will have some systems that will never transition to the cloud, either for financial, technical or compliance reasons. It's important to have a plan for supporting legacy systems alongside the cloud now and in the future.
  • Prioritize redundancy. Along the same lines, one should not assume cloud reliability is better than on-premises by its very nature. For all its benefits and capabilities, a hard drive can still go down in the cloud. Then what? A backup solution must be redundant at a scale and capacity capable to maintain the bandwidth required by internet and network connections in a hybrid IT environment. It's no longer enough to have a primary network and two backups that each operate at 25 percent capacity—backups will need to be able to sustain the majority of operations rather than just a reduced capacity failover.
  • Keep security top of mind. Many of the larger cloud service providers already implement compliance programs for some of the most stringent policies, including HIPAA. Every time a provider adds a new service or feature, those compliance certifications must be re-upped to ensure they meet the requirements of clients and specific SLA contracts. Beyond this, half the battle is having an awareness of any potential security threats and ensuring counter measures are in place. Due diligence must be done in terms of understanding what is covered in regards to security and compliance for each platform. By having a fundamental understanding of a provider's approach to securing data, one can create a solid "handshake" between the data stored on-premises and data hosted in the cloud. A great place to start is by leveraging the NIST cybersecurity framework, which encourages IT professionals to develop a framework—based on existing standards, guidelines and practices—for reducing cyber risks to critical infrastructure. In the hybrid IT era, processes like encryption in flight, encryption at rest, VPN tunnels, monitored user access and accountability are critical to ensuring data remains secure when it's traveling from an on-premises server to the cloud and back again.
  • Monitor for the hybrid IT era: Similar to establishing a unified view across on-premises hardware, where infrastructure might be comprised of any number of disparate vendor solutions, IT professionals must implement a monitoring system that gives them a view across the entire hybrid IT environment to ensure performance on-premises and off. Such a system will allow IT departments to make informed decisions about what workloads belong on-premises or in the cloud. The tool should be able to provide visibility—through a single pane of glass that displays both current (near real time) and past (forensic) status and statistics—into when application performance is slowing down or underperforming whether in the cloud or on-premises, and compare relative performance between these two to make informed decisions.
  • Focus on developing or improving certain key technical skills and knowledge. As with IT professionals in other industries, today's healthcare IT professionals need to extend across traditional generalist or specialist roles and become polymaths in order to be successful in the hybrid IT world as they pivot across multiple technology domains. According to the research cited above, the most important skills and knowledge healthcare IT professionals need to develop or improve to successfully manage hybrid IT environments are security, of course; service-oriented architectures; automation; vendor management; application migration; distributed architectures; API; and hybrid IT monitoring and management tools and metrics.

The cloud and hybrid have proven their worth across many industries, and with the proper processes and management, organizations in even a highly regulated industry such as healthcare can benefit as well.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months