title: himss recap: security remains a key hit concern (gartner reprint of "it's time for...

This research note is restricted to the personal use of [email protected]


G00308719

Healthcare Providers: It Is Time to Trust CloudService Providers as PartnersPublished: 28 July 2016

Analyst(s): Gregg Pessin

It's time for cloud service providers to be considered trusted partners tohealthcare delivery organizations. HDO CIOs should use this research tocome to terms with concerns about security, privacy and service delivery tobreak through the barriers that are preventing full-partnered cloud adoption.

Key Findings■ CIOs are under pressure to adopt cloud services for reasons other than cost savings or

functional improvement, such as prime vendors moving to cloud-only solutions with no on-premises options.

■ When able, healthcare delivery organization (HDO) IT leadership takes measured steps towardthe adoption of cloud-based services.

■ SaaS is the prevailing cloud model in use today by HDOs.

Recommendations■ Work through the security, privacy and service delivery barriers that exist in the organization

surrounding cloud-based services.

■ Create a hybrid cloud strategy that includes a combination of private, community and publiclyhosted offerings to unlock the missing capabilities HDOs need.

■ When comparing vendors, look for healthcare-specific cloud service partners.

Analysis

A Matter of Trust

HDO CIOs have stepped lightly into the world of cloud-based IT services for both infrastructure andapplication solutions, and with good reason. There has been a general reluctance to embrace cloudofferings, particularly for protected health information (PHI), due to concerns over Health Insurance



Portability and Accountability Act (HIPAA) readiness and security. This reluctance is now unfounded.In most cases, cloud service providers (CSPs) have more robust and comprehensive securitypractices and security talent than are available to most HDO IT departments. Cloud services havematured, as have the practices for cloud-using organizations, and the time has come for HDOs torecognize cloud service providers' strengths and consider cloud-based hosting services as a viableregulation-acceptable IT service delivery model.

Much of the HDO CIOs' hesitation to fully embrace the cloud has to do with trust. This isunderstandable when considering that, for the past decades, HDOs have relied on internal ITdepartments managing services running from HDO-owned or -controlled data centers. Hospitalleadership has established a trust relationship with the IT department. This trust relationship hasthree layers, as depicted in Figure 1. The first is between HDO senior leadership and the CIO, thesecond is between the CIO and the IT staff and the third is between the IT staff and the vendors thatprovide the hardware and software. All three trust relationships are built based on the successfulevolution of service delivery over time.

Figure 1. Levels of Trust

Source: Gartner (July 2016)

of 8 Gartner, Inc. | G00308719



Just under 1,600 PHI breaches impacting 500 or more individuals were tracked by the U.S.

Department of Health and Human Services (HHS) over the last five years.1 Two hundred of those

were hacking events, and out of those, only one CSP was identified. It was not for a PHI disclosure,but because there was a possibility it had allowed a virus injection attack on systems that containedPHI. All of the other registered breaches were due to security failures at the HDO. This should nolonger be considered a surprise. From a technical and operational perspective, CSPs are executingat a very high performance level. They have invested in top-tier infrastructure and built state-of-the-art data center facilities managed by the industry's best talent on a 24/7 basis. Their ability todeliver infrastructure and application services to the HDO is better than the HDO's own ITdepartment.

The cloud vendors are working hard to prove that their services are reliable and trustworthy, with agrowing number of them maintaining formal third-party security evaluations, such as InternationalOrganization for Standardization (ISO) 27001 and Service Organization Controls (SOC) 2. Thehealthcare market is a lucrative, mostly untapped market for them, and they cannot afford anymissteps. A growing number of cloud vendors have moved forward with offering business associateagreements (BAAs) to show that they stand behind their HIPAA-ready security infrastructure,methods and policies.

To further demonstrate their trustworthiness, CSPs have mechanisms to make their service deliveryperformance transparent to their customers. Almost every agreement to host services in the cloudincludes an SLA that provides negotiated availability for services provided. They are typicallymeasured by starting with the agreed hours of availability in a time frame (monthly) and subtractingfrom that the duration of incidents incurred during the month, then dividing by agreed hours, endingup with a percentage. For example, an availability figure of 99.99% means the CSP is allowed 52.56minutes of unexpected downtime in a year, and 99.999% equals 5.26 minutes of downtime in ayear.

These mechanisms are how HDO CIOs and IT leadership measure trust. Independent securityevaluations, commitment to maintain BAAs and service delivery at a level within the agreed-to SLAover time are key. When put in perspective and compared with how the trust relationship wasestablished back when x86 servers took over from midrange and mainframe systems, or virtualmachines replaced physical servers, there is a direct parallel. It took everyone witnessing thedependable service over time to establish trust in those IT paradigms. It is time that HDO CIOsallow CSPs to join the trust level that in-house vendors have been occupying, and consider theirpotential in partnering with them to deliver IT services needed for the HDO. Instead of worryingabout whether or not public cloud services are secure or not, HDOs need to start developing theirstrategies for public cloud use (see "Cloud Strategy Cookbook") and ensure that they have thepeople, policies and processes to apply those services effectively and securely (see "Clouds AreSecure: Are You Using Them Securely?").

Hybrid Approach to Cloud Strategy

With the barriers to cloud adoption being addressed, a full assessment of cloud service offeringswill lead to the creation of an enterprise cloud strategy and architecture. This approach will unlockthe value of cloud-based services for the HDO, bringing the HDO IT department all of the flexible,

Gartner, Inc. | G00308719 of 8



elastic compute and storage capabilities that have been missing. When answering the questionabout how to integrate cloud services into an existing set of infrastructure and software services,careful review of enterprise and application architecture needs to be taken into consideration. Noone cloud service platform will address all of the needs of an HDO. The combination of the variousplatforms into a single solution is referred to as a hybrid approach. The cloud strategy shouldinclude a tiered approach to application placement within the various cloud platforms, based on theusage and operation of each application. This tiered approach is similar to tiered storage solutions.In a tiered storage architecture, the type of storage used is tied to the application's requirements fordata storage and retrieval. This can be based on factors like retrieval speed or the type of databeing stored. The same is true for tiered hybrid cloud strategy. The type of cloud services chosenshould match the application's use. The hybrid strategy will include locations such as:

■ Internal data centers

■ Colocated data centers

■ Remotely hosted services

■ Public cloud infrastructure as a service (IaaS)

■ Platform as a service (PaaS)

■ SaaS

Integration of these placement options needs to be architected for current requirements, as well asprojected growth and service evolution over time. Services that run from each of the variouslocations with the architecture will need to interoperate. Planning for those communicationpathways needs to be a key component of the hybrid architecture and needs to take intoconsideration the same security and privacy concerns addressed by the cloud partners (see "HybridArchitectures for Cloud Computing" for more detail).

Healthcare-Specific Cloud Providers

As the cloud strategy forms, HDOs will begin to shortlist vendors for selection as potential partners.Follow published Gartner guidelines when considering various vendors:

■ Use the same criteria for establishing a trust relationship that you would for other services.

■ Only do business with CSPs that will sign a HIPAA BAA or to regional counterparts, EuropeanData Protection Days (EDPD) 95/46/EC.

■ Use the "sweet spot" approach to narrow down vendor selection (see Note 1).

The list below presents a few of the CSPs that specifically service the healthcare providercommunity, will provide a BAA and have already become trusted partners of many HDOs. Thevendors listed provide a variety of service offerings, including public and private IaaS, public andprivate PaaS, remote hosting capability, and managed services, such as backup and recoveryservices and disaster recovery services (see "Market Guide for Cloud Service Providers toHealthcare Delivery Organizations").




■ Amazon Web Services (Health and Cloud Computing)

■ ClearDATA

■ Connectria (Solutions)

■ Hosting (Hosting Healthcare Cloud)

■ Microsoft Azure

■ Velocity Technology Solutions (Healthcare)

Gartner Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"Market Guide for Cloud Service Providers to Healthcare Delivery Organizations"

"Clouds Are Secure: Are You Using Them Securely?"

"The Top 10 Cloud Myths"

"How to Evaluate Cloud Service Provider Security"

"Preparing the In-House IT Organization for Public Cloud"

"Solution Path for Implementing a Public Cloud Adoption Maturity Plan"

"Hybrid Architectures for Cloud Computing"

"Speed Up Cloud Service Selection Using a Deal 'Sweet-Spot' Analysis"

Evidence

1 See U.S. Department of Health and Human Services Office for Civil Rights Breach Portal: Notice tothe Secretary of HHS Breach of Unsecured Protected Health Information.

Note 1 Sweet-Spot Checklist

Although this checklist is centered on IaaS, it applies well to other cloud service offerings.

1. Fit of service offerings

■ Does the offering meet your public or private cloud business processing requirements?

■ Can it be operated and self-managed, and can it be provided as a managed service, ifrequired?

■ What is the general track record of the IaaS provider in delivering services to your localarea?


https://aws.amazon.com/health/

https://www.cleardata.com/

http://www.connectria.com/solutions/index.php

http://www.hosting.com/products-and-services/hosting-healthcare-cloud/

http://azure.microsoft.com/

https://velocitycloud.com/industries/healthcare

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf



■ Will the IaaS hardware platforms support your typical test and production environments,and are they consistent with your enterprise's architectural requirements?

■ Can the offering deal with in-country location constraints for storing and processing yourdata?

■ Can the WAN and LAN capabilities meet the minimum performance requirements to makethe IaaS offering technically viable in the locales you have offices in?

■ Can the IaaS provider provide an appropriate level of help desk support?

2. Scale of services deal

■ Does the IaaS provider have a range of clients with similar production scale, complexityand/or test processing requirements that run on the proposed IaaS platform?

■ Is the IaaS offering readily scalable to meet your current and future needs?

■ Is the network access readily scalable to meet your current and future needs?

■ Does the vendor have the financial capability to sustain funding for this level of scalability?

■ Are the IaaS architecture and infrastructure designed to be easily shareable with manyenterprise or public users?

■ What is the licensing impact of running your application and database software on ascalable shared platform? Is it commercially viable to change your licensing arrangements?

■ Can the IaaS operating environment support your required recovery time and recovery pointobjectives?

3. Maturity of service delivery processes

■ Does the IaaS provider have a good track record of delivering the required services atconsistent levels of availability and performance to meet your application response timerequirements?

■ Are its managed service offerings delivered according to industrial-strength operational andquality processes, such as ITIL V3 and Six Sigma?

■ Does the provider use common toolsets to deliver help desk services to all its clients, andmonitor and report on the quality of your service?

■ Is there a service dashboard available to give you visibility of ongoing performance and anyproblems?

■ Are its contract terms and conditions fixed (which is fine for testing), or can you configurethem to meet your enterprise's commercial requirements?

■ Will the provider guarantee to meet your minimum service-level requirements and paypenalties if it doesn't?

■ Can the IaaS provider guarantee the security and privacy of your data and relatedprocessing?




4. Cultural compatibility

■ Is the provider used to working with client organizations like yours, and is it easy to dobusiness with?

■ Do you need the provider to have people who understand the nuances of working in yourindustry? If so, does it have staff who understand the nuances of working in your industry?

■ For large-enterprise requirements, can they allocate a specific relationship and servicedelivery manager resource to work with your service management team on a regular basis?

5. Flexibility in dealings and the extensibility of solutions

■ Is it easy to scale the IaaS services up, as well as down, both physically and contractually?

■ Can the provider or its channel partner deliver other cloud-based project and technologyimplementation services you might need?




GARTNER HEADQUARTERS

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Regional HeadquartersAUSTRALIABRAZILJAPANUNITED KINGDOM

For a complete list of worldwide locations,visit http://www.gartner.com/technology/about.jsp

© 2016 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to accessthis publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information containedin this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy,completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. Thispublication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinionsexpressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues,Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company,and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see “Guiding Principles on Independence and Objectivity.”


http://www.gartner.com/technology/about.jsp

http://www.gartner.com/technology/about/policies/usage_guidelines.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp