Cloud Sourcing in a Medical Environment – Can it Work?

Article by Kevin Tye:

The world is going cloud sourcing mad. Everywhere we look we are assailed by the idea that the cloud is the only way to go, and in many ways that is right. Cloud storage solutions are reliable, safe and available, or are they?

I work for one of the largest NHS Trusts in the UK in Service Delivery. We have over 800 supported services and applications, and more and more we are looking at possibly replacing some of those on-premises services with off-site alternatives. Many of our suppliers are switching their service offerings over to SaaS rather than conventional deployed software. The question we in Service Delivery must ask ourselves is: “Is this the correct way to go for us?”

There are a number of facets to this question which we must examine before we a can make a sensible and informed decision, including:

• Corporate Data Security – will our corporate data be safe out in the cloud?
• Patient Data Protection – will our patient’s data be safe, and will where our suppliers store this data conform with Data Protection legislation and Information Governance regulations?
• Data Access – will a cloud based solution give us the required level of access to our data?
• Cloud Support – how will the cloud support model work for a busy 24 x 7 x 365 operation like ours?

Corporate Data Security

Potentially the data is likely to be more safe when hosted in the cloud than when hosted on-premises. I say likely because this isn’t an automatic thing. Much depends upon the cloud hosting company that is ultimately holding the data. Many SaaS organisations out in the world are not hosting their own clouds but are buying in the hosting and bolting their service offering on top.

Therefore it behoves us at the Trust, and anyone who is actually considering buying SaaS from outside vendors to check how the data is handled, who is hosting it and what SLAs are in place between the host and the service provider. Never forget that your contract is between your organization and the service provider.

However, all things being equal your data is almost certainly as safe if not safer in a third party data centre where it is backed up every day.

Patient Data Protection

Whilst this is a specific problem for healthcare providers, it is similar in any organization who keep records of their “customers”. When your customer (patient in my world) gives you information about themselves, they have a realistic expectation that you will treat that information with respect, will protect it and will not use it for purposes outside of that for which it was gathered. They can also expect that you will keep it up to date and will only keep it for as long as is necessary. That last couple of sentences describe briefly the main principles of the Data Protection Act here in the UK.

As a large Healthcare provider we have very strict regulations for Information Governance dictating exactly how we will deal with patient information. Therefore it behoves us when choosing a cloud service provider to be absolutely certain how that provider is going to handle any patient data that will pass through their systems.

Storage of that data must not be outside of the EEA, (unless in a “Safe Harbour”). It must be backed up and secure against accidental or deliberate unauthorized access. It must be available and in a managed environment. All of the guiding principles of the UK Data Protection Act as laid down by the UK Data Registrar must be adhered to. So when you look at your cloud service provider makes sure you ask the right questions and are happy with the answers given.

Data Access

When a system is hosted on-premises, access by the staff that use that system is usually by pass through Active Directory (AD) authentication or by dedicated user name and password (for really secure systems it may even involve smart card access). For cloud offerings, this level of access should be no different. My Trust is currently piloting a cloud based HR system to which every single employee of the Trust will have access. This is in most cases by Single Sign-on, once signed onto our network, simply accessing the portal picks up the employee AD credentials and gives them the appropriate level of access they need. Therefore again you must ask the questions:

• How will my staff access the information stored in the cloud?
• How will password resets happen?
• What level of “Fall Back” is there for when communications are down?

The above are just the basic questions which must be asked.

Cloud Support

Who will support this new cloud based system? This is one of the riskiest areas to look at, as when everything is running okay, the last things on users minds is who do I call when things go wrong. It is the job of IT, and specifically IT Service Delivery departments to consider this. Unclear support models can lead to users being disconnected from their systems for extended periods due to suppliers and in house support staff arguing jurisdiction.

This area is one of the trickiest to resolve and the only way it can be handled is by very clear and unambiguous demarcation of tasks and activities. To implement an off-premises solution requires precise project management, totally transparent processes, leading to a clear communications strategy for the work.

Trust me when I say I am speaking from experience on this.

Conclusion

Can it work? Absolutely. Is it right for every service or application your enterprise runs? Almost certainly not. However working in the cloud can provide a different and improved way of conducting business.

Kevin Tye has been a Technical Author for over 25 years working in both the UK Public and Private Sectors. Organizations he has undertaken work for include, the Royal Navy, EDS, CSC, and the National Health Service. Kevin has held the post of Principle Technical Author for one of the largest NHS Trusts in the UK for the last two and half years working to support Service Delivery and Applications Management. He holds a Master’s Degree equivalent in Computer Science and has strong views on the future of Service Development and Delivery.