Cloud computing is a growing force in healthcare and offers clear benefits for organizations of all sizes. What is less clear to many organizations are the pros and cons of various cloud adoption strategies and how to successfully move applications and data to the cloud. Discover how cloud technology platforms can transform EMR implementations, digital image archiving and security. Through the use of real-world case studies, participants will learn effective change management strategies from a technical/operational/process perspective, as well as the pros and cons of various cloud models. Learn more: http://del.ly/Ckd9Dk
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
Building Future-Ready Healthcare IT Platforms: Get To The Cloud
1. Future-ready Healthcare
IT Platforms:
Get to the Cloud
Andrew Litt, MD, Chief Medical Officer,
Dell Healthcare and Life sciences
2013
2. Panelist
David Tomlinson
CIO/CFO;
Centegra
2013
Bill Russell
CIO;
St. Joseph Health
Ismelda Garza
IT Director;
Comanche
County Medical
Center
3. Moving beyond the cloud hype
Enterprise
cloud
application
revenues
reached $22.9B
in 2011 and are
projected to
reach$67.3B by
2016.
Current
Usage
2013
60% of
server
workloads
will be
virtualized
by 2014.
Global cloud
traffic will account
for nearly two-thirds
of total data
center traffic by
2016.
Today 46% of
business data
stored outside
of internal IT
structures.
Over the past
three years
nearly 74% of
data centers
increased
physical
server count.
IaaS cloud
management &
security and PaaS
are growing from
$7.6B in 2011
to $35.5B in 2016.
24%
37%
39%
Hybrid
Private
Public
Projected Market Spend of
$241 Billion
by 2020
Source: Dell Customer Research, April 2013
4. Industry adoption varies
Advanced Heavy Moderate Measured Lagging Gartner
2013
Adopting
Private cloud PaaS and IaaS
Community cloud and service providers
Community cloud and SaaS
Email and collaboration
Panicky migration from vendor to provider
Not much happening
Public records, medical processes
Industry
Financial services
Telecommunications
Government
Education
High tech
Energy and utilities
Healthcare
Retail Brokerage and messaging integration
6. Changing healthcare landscape
2013
Traditional IT still dominant
41.8% of a healthcare
organization's IT budget is
allocated to traditional IT
deployment
2013
2017
Cloud IT multi $B market
Although adoption is held back by
regulatory initiatives and security
concerns, the cloud market in
healthcare is expected to grow to
$5.4 billion by 2017
2015
Cloud IT growth accelerates
Within two years' time traditional IT budget
will decrease to 35.4%. Use of public cloud
services will increase from 12.6% to 15.8%
7. Impediments to cloud adoption for
healthcare providers
Concerns that cloud providers will not continue to innovate
Have not identified what our exit plan for cloud would be
Have concerns about cross-border rules
Have not yet created a service catalog for cloud services
Unclear future and roadmap for cloud services
No end-to-end service management strategy
2013
40
28.4
20.5
17.4
11.3
11.8
14.1
7
Have not yet developed a cloud roadmap
Concerns over security and availability
Source: IDC's Global Technology and Industry Research Organization IT Survey, 2012
(% of respondents)
8. Multiple regulatory requirements
HIPA HITECH MEANINGFUL
Health Insurance
Portability and
Accountability Act (1996)
Security rules
• 45 CFR 160
• 45 CFR 162
• 45 CFR 164
2013
USE
American Recovery and
Reinvestment Act – Health
Information Technology
for Economic and Clinical
Health (2009)
HIPAA Security Rule Plus
• New civil money penalties for
violations
• Covered entities and business
associates must comply
• Breach notification obligation for
breaches on or after Sept. 2009
Meaningful Use (2010)
Risk Analysis
• 45 CFR 164.308 (a) (1)
• Core Measure 15
9. How can audits and penalties impact you
2013
Breach
Notification Rule
KPMG contract:
Audits of 150
hospitals
Fines and
penalties
10. Challenges = cloud opportunity
Improve quality
of care
Reduce costs
2013
Operate
under high
regulations
Effectively
manage
IT resources
11. Why Cloud?
Secure Flexible Simple
2013
• Manage specific
environment on customer
behalf
• Facilitate aggressive
implementation schedules
• SLA easy to understand
and implement (99.95%
uptime)
• Free up hospital IT
resources to focus on
service delivery and
application
implementation
• Expect predictable outcomes
with a choice of service levels
for operational availability.
• Choose disaster recovery
options that allow you to
meet Recovery Point
Objectives and Recovery
Time Objectives
• Select add-on solution
options to fulfill your specific
requirements
• Reliable & secure ISB
backup, recovery, and tape
administration
• Highly secure and reliable
network connectivity
options offer HIPAA-compliant
data encryption
• System monitoring
• Pre-defined server
availability levels
• Standard data administration
procedures and tools
12. Dell cloud strategy for healthcare
Hospitals Physicians Payers Life Science
2013
Healthcare cloud platform
Strategic Pillars
Establish an
Interoperability
Network connecting
Healthcare
Constituents
Develop a Next
Generation delivery
mechanism based on a
secure Cloud Platform
that support derivative
data driven solutions
Integrate Current and
Future Solutions
through the cloud to
deploy at scale
1
2
Archiving &
Storage
Reporting
& Alerting
Healthcare solutions
Analytics 3
Other
Electronic
Medical
Records
Revenue
Cycle
Services
Payers
Solutions
Data Management Security
Other
Mobility Interoperability
13. Dell Healthcare in the Cloud
50+ 29B
customers supported
with cloud-based HIS
and DR
650,000+
2013
6B+
diagnostic image objects
managed by Dell in the
cloud. Protecting medical
images for 7% of US
Population
Security events
MEDITECH
Processed daily by
Dell SecureWorks, a
core component of
the Dell Cloud
Integration processes
Per day with Dell Boomi,
over 3Xs our nearest
competitor
1st
To market with
the Dell
OpenStack
Solution
More EMRs supported in a
secure dedicated
Healthcare Cloud than any
other healthcare IT
services provider
$200M
Dell achieved this by
virtualizing 10,000 servers
and reducing applications
from 7,000 to less than
2,500
Dell’s Crowbar
deployment, management
and services
saved by Dell
400K
physicians and 500
individual
practices
supported by Dell’s
physician hosting
cloud solution
18. Let’s get
started
2013
Visit the Solution Showcase to see our end-to-
end healthcare solutions and services
Gain hands on experience, see
demonstrations at the Solution Showcase
Schedule a visit to a Dell Solution Center
near you:
Austin • New York City • Washington D.C.
Chicago • Santa Clara • Mexico City • Sao
Paolo
Go to www.Dell.com/healthcare
Corrine – What’s the source?
The adoption of IT cloud services among healthcare firms is roughly at parity with all firms. However, there is a far greater (32.5%) percentage of healthcare firms evaluating IT cloud services for a specific workload or service compared with all firms (23.6%). This represents an opportunity for suppliers to help educate healthcare organizations about best practices and use cases for cloud adoption.
Also increasing are private cloud deployments, both internal and external –changes how firms will procure services and solutions.
Emphasize that these are common concerns across industries.
A HIMSS survey of large healthcare organizations found that just 47% currently conduct annual risk assessments as of last year, which is part of the original HIPAA requirement. Fifty-eight percent of the respondents had no staff members dedicated to security, and 50% spent 3% or less of organizational resources on security. So, you’re certainly not alone if you have yet to implement and conduct periodic risk assessments.
We wanted to show on this slide that Meaningful Use is really nothing new. The Security Rule has been around since 1996 in the original form of HIPAA. When the HITECH Act was developed as part of the American Recovery and Reinvestment Act, it applied some new extensions to the already existing rule. For instance, with HITECH, new breach notification rules were extended, mandating reporting of breach incidents to HHS for breaches that affect more than 500 people, and extending the rules to health care business associates. HITECH also implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorney generals to file civil actions for HIPAA violations on behalf of a community’s constituents.
The Meaningful Use guidelines, set out by CMS, cover measure 45 CFR 164.308, which sets out the requirement to conduct a risk assessment. This measure, in turn is part of a series of measures that encompass the full security rule from HIPAA. Meaningful Use can be thought of as HHS finally starting to get some sizzle to their steak in terms of enforcing and incenting providers to not only adopt EHR, but also to make sure that they are implemented in a way that supports the original HIPAA guidelines.
How the risk assessments are conducted still has some flexibility built in, which adds some confusion to the environment. Many federal guidelines are often referred to such as NIST SP 800-66. Some of the basic questions that this guideline and other recommend that you should consider in implementing the security Rule are questions such as:
Have you identified ePHI within your organization? – including ePHI that you create, maintain, or transmit.
What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain or transmit ePHI?
And, What are the human, natural, and environmental threats to information systems that contain ePHI?
While risk analysis is a necessary component to reach and achieve the Meaningful Use requirements, it’s also a necessary tool to reach any sort of substantial compliance with many other standards and implementation specifications. So, although it’s a starting point, the risk assessment is really just a stepping stone to the complete compliance that will be required and continually enforced in the near future.
The HIPAA Security Rule specifically focuses on the safeguarding of EPHI and is the most comprehensive guideline around protected health information. All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to covered entities including:
Covered Healthcare Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
Health Plans— Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
Healthcare Clearinghouses— A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa.
Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act.
Since 2009, 435 healthcare entities reported data breach affecting over 20 million patients1
The average economic impact of a data breach over the past two years is approx $2.2 M 2.
Nearly 40% involves lost/stolen portable media device containing unencrypted PHI
Encrypted patient data is covered under Safe-Harbor
In July of 2011, the HHS’ Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012, and the implementation of the audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act.
The KPMG contract enables OCR to put “feet on the street,” while retaining an oversight role in the process. Sue McAndrew, OCR’s deputy director for health information privacy, confirms that some audits could even result in OCR enforcement action. “Certainly, if we uncover in the course of the audit major violations or potential violations … we will be dealing with those … in the same manner we would through our formal enforcement process,” she said recently. Criminal and civil penalties can be levied against organizations and/or individuals for
violations of HIPAA Privacy and Security Rules. Monetary penalties for a breach of HIPAA Privacy and Security Rules range from $100 to $50,000 per violation. In addition to all this, state
attorneys general are now authorized to bring civil actions against HIPAA violators on behalf of state residents. These audits have already begun
These audits will supposedly “initially offer comprehensive assessments of compliance with the HIPAA privacy and security rules rather than specific narrower issues.”
While the projected number of 150 audits in 2012 makes the likelihood of an audit visit to your organization fairly low – keep in mind, OCR has a separate initiative underway to train State Attorneys General on the HIPAA audit process as well, so this is something that will likely become even more persistent and granular in the future.
Organizations participating in the EHR “meaningful use” plan already have a compelling incentive to “conduct or update a security risk analysis” but with or without meaningful use, this is a mandatory requirement for all covered entities and business associates, taken verbatim from the HIPAA Security Rule itself.
And as you may know, organizations are required to report breaches affecting 500 or more individuals to HHS, along with details of the breach – where the entire incident is then posted publicly on the HHS website on their so-called “wall of shame”.
And a third factor is that OCR and States Attorneys’ offices now have the ability to penalize healthcare providers for failing an audit. This is level of scrutiny is not likely to dissipate anytime soon; if anything, there is more likelihood than ever that a breach or lack of risk management can have disastrous consequences.
In addition to this trifecta of incentives to focus on security, there’s also the reality that breaches are happening every day. In fact 60% of hospitals had more than two data breaches in the past two years. This is likely because over 2 thirds of hospitals don’t have the proper policies and controls to detect and respond to breaches, according to a recent Ponemon research study.
Since the data breach notification regulations by HHS went into effect in September 2009, 435 (as of 7/15/2012) incidents affecting 500 or more individuals have been reported to HHS, according to its website. A total of over 20 million individuals have been affected by a large data breach since 2009. The regulations require a covered entity that discovers a reportable breach affecting 500 individuals or more to report the incident to the HHS Office of Civil Rights immediately.
A report recently released by Redspin, an IT security firm, states that data breaches stemming from employees losing unencrypted devices spiked 525 percent in the last year (2011) alone. This statistic confirms that devices, including laptops, tablets and smartphones, pose a very high risk for a data breach. Redspin reported that eighty-one percent of healthcare organizations now use smartphones, iPads, and other tablets, but forty-nine percent of respondents in a recent healthcare IT poll by the Ponemon Institute said that nothing was being done to protect the data on those devices. In a study published in 2011, the Ponemon Institute found that the cost of a data breach was $214 per compromised record and the average cost of a breach is $7.2 million.
Encryption of PHI is a major step a provider or institution can take to secure its sensitive patient data. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. According to a Guidance from HHS, if an entity encrypts its data in accordance with the National Institute of Standards and Technology standards for encryption, then any breach of the encrypted data falls within a safe harbor and does not have to be reported. This is an incredibly important safe harbor that could save an entity a lot of money.