Cloud Computing: Finding the Right SolutionGetting a Return on Your Cloud Investment
In an exclusive interview, David Finn of Symantec addresses how to:
- Justify the investment by identifying all potential benefits;
- Select the most appropriate cloud services provider;
- Prepare a contract that addresses all the necessary details.
See Also: DevSecOps Community Survey 2019
This is the second of two podcast interviews with Finn. See also: Cloud Computing: A Good Fit?
Finn, CISA, CISM, is the Health Information Technology Officer for Symantec. Prior to that role he was the Chief Information Officer and Vice President of Information Services for Texas Children's Hospital, the largest pediatric integrated delivery system in the United States. He also served as the Privacy and Security Officer for Texas Children's. Prior to that, Finn spent seven years as a healthcare consultant with IMG, Healthlink and PwC, serving last as the EVP of Operations for Healthlink.
Finn has 30 years experience in the planning, management and control of information technology and business processes. He is focused on enabling operating efficiency and deriving business value through the optimization and control of technology. His key skills include IT Governance and Control, Project Management, Systems Selection and Implementation, Business and IT Partnering, and IT Audit, Control and Security.
TOM FIELD: In a previous conversation, we talked a little bit about cloud computing in healthcare, and I want to pick up on that conversation. To start with today, let's say that a healthcare organization has embarked on a cloud computing initiative for the economic advantages. What are some of the secondary benefits that an organization might enjoy?
DAVID FINN: Cost savings are often assumed to be the primary motivator, and cloud computing does offer the potential for cost savings, but most of the early adopters are finding that characterizing the return on investment from the cloud is a little more complicated than just a straight-up comparison. So you really have to look at total cost of ownership of the on-premise versus the cloud-based solution.
In addition, your provider should be giving you the tools for doing that. You will have to validate the assumptions, and some tools will let you build the assumptions, but the trick in looking at cost is making sure you include all of your on-premise costs, and that means power, that means cooling, that means all the FTE system administrators or back-up people and the software licensing. And so once you get past the benefit, you start to get to the good stuff, and I will talk a little bit about some of the things we are seeing.
Many of our early adopters cite agility and time to value ahead of cost as their primary reason for moving to the cloud. In a lot of cases an equivalent cloud-based service is available that can offer lower up-front costs but more importantly faster deployment. So, they are getting the solution deployed faster, and that is agility.
Flexibility is another secondary benefit that we hear very often, and this is kind of related to the agility, but it is also related to the need for IT groups to scale their capabilities in response to changing business requirements. So, by leveraging cloud based services, IT can be more flexible in meeting user demand with their staff and their resources.
In healthcare today, I think that the biggest reason to start looking at the cloud for options for other solutions is what we call portfolio rationalization. That is a big phrase, but what it really means is that you rationalize your IT service delivery portfolio. In particular, you want to ensure that you are dedicating your resources, and that is trained IT staff who knows your business, your environment and your users, and you are dedicating those resources to the applications and the services that are most critical to the success of your organization.
Most providers today are very focused on ... meaningful use and health information exchange. So functions that are less mission critical to your organization, or which the organization doesn't have particular expertise, these are the candidates for cloud based alternatives. Free up your resources to dedicate them to what you really need.
Risk ManagementFIELD: Well a couple of follow up questions for you, David. I have heard a number of people say that cloud computing can play a significant role in helping a healthcare organization to manage its risks. How is that possible?
FINN: Well, software as a service and even infrastructure as a service vendors and other cloud providers who are managing end-user data need to address a whole range of issues around security and data privacy and ownership. For health IT professionals who are considering adopting cloud solutions, security is and should be top of mind. You can move a lot of things to the cloud, but responsibility for protecting your organization's data isn't really one of them.
So, depending on the data you are storing, your service provider may become a business associate, and you want someone who knows what that means and is prepared to accept that role and the responsibility to provide the same or better security and privacy than a covered entity. Regardless of which services your organization may move to the cloud and which vendors you work with, you are still ultimately responsible for ensuring that your information is secure and that sensitive information remains private.
Data location is not guaranteed by most cloud service providers because they often use other cloud vendors to support their offering. So if your organization is planning to put data into an external cloud, you want to make sure that your organization performs data classification analysis prior to moving corporate data or patient information to a cloud service provider. You have to look at data sensitivity, trust levels, as well as regulatory and compliance issues to ensure they are satisfactorily addressed, and to ensure security all of that data (in transit and at rest) should be encrypted.
So the short answer after I have given you the long answer is this: It is still your patient's data, but by moving information, particularly large volume stores to the cloud, and assuring that the data is secure, encrypted, backed-up and accessible to a appropriate users on demand, you have unburdened your IT department of a lot of ongoing capital and operating expenses, and you have been able to assure a very high level of security and reporting on that data without using any of your shop's budget or resources. I think that is one way you can shift that risk out of your shop.
Business ContinuityFIELD: A similar question David is how can cloud computing help a healthcare organization to achieve its goals in business continuity?
FINN: This is a great question, and you have to start by differentiating between business continuity and disaster recovery. I think everyone gets the disaster recovery aspect. If your data is in the cloud in geographically different data centers and encrypted and you have a total disaster -- if an entire data center at your site is lost -- you can still get that data back relatively quickly.
Business continuity is keeping things going, keeping things up and running while you have got a local issue that is impacting business, but you can't stop seeing patients.
So there is a lot of benefit around just kind of routine business continuity efforts with the cloud solution.
Find the Best FitFIELD: David, we have talked an awful lot about providers and about business associates. There are so many cloud computing options that are available to an organization. Given that broad menu, how can a decision maker really go about finding the best fit for their organization?
FINN: Okay, so we have identified that cloud is really a new model of IT service delivery, and we know there are some good things about it and some things that need a little more attention, but how do you deal with making the move to the cloud without having your head in the clouds? I think that is your real question.
It gets down to the issue of what are the criteria for even assessing a cloud option, and I think the most important thing -- and I have seen it time and time again in talking with customers -- is you have to acknowledge the concerns of your IT staff and your users. Offloading IT operations to a cloud service provider gives users the opportunity to improve their organization's business processes and the effectiveness of their workforce, particularly the IT group. Because the cloud can scale IT services on demand, it also powers a new degree of agility, which we talked about a little earlier, for business innovation and opportunities.
These are some of the issues I want to run down that I think really need to be acknowledged, and one is fear. The typical concerns about cloud computing include fear about the data being transmitted and stored in a cloud, keeping it safe, preventing it from being lost or stolen. You would have to look at how the costs compare to continuing to provide IT services the old way. But, you have to acknowledge that there is fear about letting that data go somewhere that you are not responsible for.
That leads directly to the second fear, which we see a lot in IT departments, and that is a loss of control. For a lot of healthcare providers, surrendering direct control of any part of IT is very difficult, especially for core services. Organizations are also used to controlling solution implementations to precisely meet requirements, and that is going to be a little bit different with the cloud solution.
The other thing, and it is a legitimate concern that needs to be addressed as you are making selection decisions, is vendor lock-in. Organizations worry that they are going to be locked into one cloud provider's services, and some users may delay adopting the cloud until they can easily move from one cloud vendor to another. So, the users not only need to be flexible, but you as an IT person looking at this need to make sure that you are not locked in and that it is possible to move that data, and, frankly, in the cloud it should be easier to move that data.
And then you want to leverage your existing IT in phases. You are wise to take a phased approach when rolling out a cloud solution. You want to pursue those quick wins, the quick low-risk projects when moving to a cloud.
And then those are some of the different things you need to look at, but then you need to systematically weigh your business requirements like with any IT acquisition. You will want to look at your business requirements and how they are met by a cloud-based solution.
Cloud computing is fundamentally a shift in how we think about IT services, and the new focus enabled by cloud computing is on defining the services you want, and the parameters in which they need to operate, and this clarification allows the organization to appropriately and efficiently pair in-house capabilities with the right balance and the right mix of cloud services.
Then you are going to look at things like you would with any IT application or any IT service, the advantages of the cloud versus in-house. You are going to have to look at security. You are going to have to look at shifting risk. You are going to have to address policies and processes within IT that may be impacted when you move to the cloud. You are going to have to look at regulatory compliance and even your data management governance or IT governance structures with this.
In some ways, there are some things that you need to acknowledge and recognize up front. In many ways it is traditional IT deployment, and you are going to look at most of the same things that you would with any IT solution.
Cloud ContractsFIELD: So taking it to the next step, David, in getting into a cloud computing contract with a vendor, what are some of the details that you want to make sure that you write into that agreement? I am thinking for instance, should you spell out a vendor's HIPAA compliance strategies? What are some of the essential details?
FINN: That's a good question. and I come back to treating it like any IT project. You are going to want to look at impacts and limitations of the cloud, you are going to want to make sure you have aligned your organization's people, processes and technologies with the business objectives of the solution. You want to be able to describe contractually how and how much a cloud solution is going to save the business.
You are going to need to raise within the organization the need for a cloud solution. We have already talked about regulatory and governance issues. You need to look at and contractually identify any modifications or adaptations from your IT architecture to work with the cloud services. You certainly want to have and ensure adequate data protection for that data in the cloud, and as we mentioned, contingency plans (high availability or disaster recovery).
I don't want to write a contract with you, but I point to one other source that I look to a lot and that is Gartner's Global IT Council on Cloud Computing. This is a group of industry stakeholders that aren't just cloud providers, but developers, vendors and other stakeholders, and each of the Global IT Council's (Gartner has two of them) has been tasked with developing a set of basic rights or responsibilities for the specific area of technology they address. The members of these councils discuss the issues in depth and very openly, and they offer real-world observations about real-world problems and how they have been resolved.
So, I want to point to Gartner's Global IT Council on Cloud Computing and their basically seven rights and responsibilities, and these are things you want to address I believe in a cloud service agreement.
One is the right to retain ownership, use and control of one's own data. You want to make sure you still own that data because not every cloud provider does that. You want to make sure that you have service level agreements that address liabilities, remediation and business outcomes. You have the right to notification and choices about changes that affect the service business processes. You have the right to understand the technical limitations or requirements of the service up front. You have the right to understand the legal requirements of jurisdiction in which the provider operates. You have the right to know what security processes the provider follows, and you have the responsibility to understand and adhere software licensing requirements related to that offering.
Again, it is basic stuff, but it is going to be a little bit different with the cloud, and we do recognize that sometimes cloud providers are layered, so you want to make sure that you understand the entire process and you have that right to understand the entire process from your cloud provider.
Maximize Your Cloud InvestmentFIELD: Just a final question for you, David. Given everything we have discussed today, if you could boil it down to final words of wisdom for healthcare organizations, what would you tell them in terms of how they can maximize their cloud initiative?
FINN: I believe that the cloud model is going to have a significant impact on the healthcare industry. It is in its early stages today, and that impact is going to be felt over several years as the model evolves and gains wider acceptance and adoption and we learn new things about the cloud and new ways to use it.
I think ultimately this transformation is more about the way IT services are acquired than about specific implementation technologies. There are going to be public cloud offerings and private cloud services being delivered on a variety of technologies and platforms. There is a quote from one of the Gartner reports on cloud and it says, "Trust is the key characteristic of the cloud service consumer provider model." And trust is one of the key enables of the cloud model; you are going to want to partner and work with providers and vendors that you trust.
Service consumers need to have confidence in their providers, whether they are external or internal, and along with core service level attributes such as availability and security, the service provider model introduces a whole range of issues that organizations need to consider around things like privacy and portability and ownership of the data, and how cloud services will inner-operate in composite ways to optimize those services and your business processes.
So, the words of wisdom, I think ,are plan, prepare, know, and trust your cloud provider. Write a good contract -- one that works for both you and your provider, but doesn't impose impossible constraints on the vendor.