Prospects forCloud Computing

in a Public University Hospital

ArturoGonzález-Ferrer,Ph.D.

SanCarlosUniversityHospitalMadrid,Spain

Wien,AustriaNovember23rd 2016

Agenda

1. Context• Hospital• Innovation Unit

2. Health IT Security & Cloud3. Our case

• Hospital status• Regional status

4. Prospects: ongoing projects5. Challenges6. Benefits7. Conclusions

EnisaeHealthCibersecurityWorkshop 2

HospitalClínico SanCarlos(HCSC)

• LocatedinMadridcitycenter• BelongstoSERMAS(+30hospitals)• 964beds• Potentiallyprovidingcareto365.000patientsfrom14primarycarefacilities

• 40.000admissions,650.000outpatientconsultations

• 125.000emergencyconsultations(350/day)• Morethan5.000professionals.

• 807staffphysicians,453residents

EnisaeHealthCibersecurityWorkshop 3

InnovationUnitHCSC• MainmantraistoproduceVALUE

• Channelinginnovationrequestsfrom• Hospitalprofessionals• Externalpartners• Or…proactiveproposalsbyourselves

• Twomainareas:DevelopprototypesofinnovativeIT,togetherwithexternalpartners

Supporttheinnovationprocesstomoveclinicalresearchtomarket

EnisaeHealthCibersecurityWorkshop 4

HealthIT securityproblems:governance

• HeadDirectorsofITDepartmentin“Castilla yLeón”RegionalHealthcareSystemforcedtoresignthismonthduetothelostofthousandsofmedicalimagesduringmigrationofanoldITsystem

• Externalcompanyhadthegovernance ofdataandthecontractexpired…

EnisaeHealthCibersecurityWorkshop 5

HealthIT securityproblems:VirusvsHA

EnisaeHealthCibersecurityWorkshop 6

HealthIT securityproblems:externalstorage

EnisaeHealthCibersecurityWorkshop 7

• Patientsshouldhavefreedomofaccesstotheirhealthcaredata.

• Researchersneedeasyaccesstopatientdata.

• Societydemandssecurityinthisregard

• SecurityvsUsability?Theyareusuallyenemies

whowins?

EnisaeHealthCibersecurityWorkshop 8

ReviewofsecurityinEHRs• 26/49usedstandardsorregulations

• 27/49studiesuserole-basedaccesscontrol(RBAC)

• 16/49saysemergencyjustifypermissionoverride

• 25/49audit-logisproduced• 4/49mentionthatusers,healthstaffshouldbetrainedinsecurityandprivacy(!?)

EnisaeHealthCibersecurityWorkshop 9

DataProtectionRegulation

Securitymeasures BasicLevel MediumLevel HighLevel1 StaffFunctions andobligations Si Si Si2 IncidentLog Si Si Si3 Accesscontrol Si Si Si4 Handlingofstorage anddocuments Si Si Si5 AuthenticationandAuthorization Si Si Si6 Back-upandrestore Si Si Si7 Securityresponsible Si Si8 Audit Si Si9 Handingof storageanddocuments Si Si10 AuthenticationandAuthorization Si Si11 Physical accesscontrol Si Si12 IncidentLog Si Si13 Handling anddistributionofstorage Si14 Back-upandrestore Si15 Accesslog Si16 Telecommunications Si

Security measures are regulated in sections 89 to 104 of Spanish “Ley Orgánica de Protección deDatos” (Real Decreto 1720/2007) :

EnisaeHealthCibersecurityWorkshop 10

SERMASAthene@Plan:CloudCenterofRegionalHealthITSystems(2013)

• Three-DataCenter topology(Active-Active/Contingency)• PrivateCloudforallMadridhealthcenters• Consolidation:Virtualization+Standardization

• Lesscost• HigherFlexibility,AvailabilityandSecurity

EnisaeHealthCibersecurityWorkshop 11

Inourinstitution?• Many“DataIslands”(lab,pharma,nursingemergency,

radiology…)

• 40%ofhospitalsoftwareareself-developments

• Very difficult totackle migrations

• NostructuredEHR(yet)

• IntranetWebapplication“PACIENTE”(2005)tosavedischargepatientreports+integrationwithlabresults

• Paperpatientmedicalhistoriesarestoredin-hospitalbutalsooutside,throughacompanythatkeep,orderandtransportthem

• NoformalCISO(inprocess)

Enisa eHealthCibersecurity Workshop 12

IaaSorSaaSExample:ClinicalDecisionSupportonHyponatremia

• Awebapptocollectpatientinfoandgetevidence-baseddecisions

EnisaeHealthCibersecurityWorkshop 13

IaaSsecuredeploymentExample:MobiGuide

CreditstoDanieleSegagni (FSM)EnisaeHealthCibersecurityWorkshop 14

BigData:HIKARIProject

MLaaS:MachineLearningasaService

• IaaS,SaaScreatedforDataanalyticsforhealthcareresearch

• RonHadoop?

DataoutsidetheHospital?

EnisaeHealthCibersecurityWorkshop 16

Label Num. Patients

Intra-cluster contribution of variables (shown those >15%, except when not reaching the threshold, where we show those >9%)

Cancer 53 Cancer of bronchus; lung (81.13), Secondary malignancy of bone (45.28), Secondary malignancy of lymph nodes (43.4), Secondary malignancy of brain/spine (41.51), Secondary malignant neoplasm of liver (28.3), Secondary malignancy of respiratory organs (22.64), Cancer, suspected or other (18.87)

UTI 81 Urinary tract infection (95.06), E. coli (32.1), Bacterial infection NOS (29.63), Diaphragmatic hernia (23.46), Delirium due to conditions classified elsewhere (17.28)

NotSpec 351 Urinary tract infection (13.68), Other diseases of respiratory system, NEC (12.54), Encounter for long-term (current) use of aspirin (10.83)Hyperplasia of prostate (9.4)

Easychallenges

• Demonstratecapabilitiesofthecloudsolutionforworst-casescenarios

• vulnerabilitiesindatatransferinterfaces• breachofdataconfidentiality• breachofdataintegrity• accidentallossofdataavailabilityorconfidentiality

• Demonstratefeatures• Increasedprotectionofpersonaldata• provenanceandtraceability• simplicity(e-certificates,vpn’s,etc…arenoteasyforusers)

EnisaeHealthCibersecurityWorkshop 17

Hardchallenges

• Procurement cantakeanage.Eachspendmustbefullyjustified,causeseriousdelaysininnovation

• Institutionalandgovernmentsupport.Inourhierarchicalstructure,isneeded.

• Change&prioritymanagement:Youknowwhatcould bedone!Butphysiciansarecaringforpatients.

• PatientSensitivedata:in-houseprivatecloudiscostly,outsidepubliccloudisinsecure…

• Cloudproviderscannotseepatientdata

EnisaeHealthCibersecurityWorkshop 18

Benefits

• Securityisimproved,ifwellimplemented

• Speed-uponbackingupfromITdisasters

• Testingnewtechnologiescanbeveryfastandindependentthankstovirtualization

• On-demandscalabilityforEHRuseandresearchtasks

EnisaeHealthCibersecurityWorkshop 19

Conclusions

• Theneedfortraininghospitalstaffatalllevelspreventdoingfastinnovationsthathaveimpactontheirdailyactivity

• Securitycanbeimprovedovertraditionalpaper-basedrecords.Needtodefinegovernanceanddefineusableandhardsecuritypolicies.

• Actualbenefit:reductionofcostsandbackup.Prospect:MlaaS,CDSS,…

• Usingvirtualization,careprofessionalscanexplorenewITsolutions

• Toreachhospitals,successrelyoniterativeapproach:cheapscenario-basedprototypesthatworkcanenduponvalue-basedinvestments

EnisaeHealthCibersecurityWorkshop 20

Thankyou

Dr.Strange(2016)

”You are now inside the mirror dimension,ever present but undetected. The real worldisn't affected by what happens here. We usethe mirror dimension to train, surveil andsometimes to contain threats”.

Cloud:aparalleldimensionthatallowstheuser topracticetheirmagicalabilitieswithoutthepublic'sknowledge 21

Aboutmyself:arturogf@gmail.com

Designed the e-learning service. 30.000 students. HA with GFS2 +SAML2-Shibboleth federated Auth.

Leaded the Data Integration Tasks within a 5M€ EU-funded FP7 project to develop a patient guidance system

2002 2010 2013 Today

Ph.D.UC3M

University

2015

supports the institution taking IT innovations that can providesome value for improvement

EnisaeHealthCibersecurityWorkshop 22