Cloud computing in the health sector – ready for the prime time?
What is cloud computing?
Cloud computing is a new term that is being increasingly used thanks to the large interest the media are showing on the topic. But what is cloud computing exactly? Should health professionals consider cloud computing? What implications will a health professional be facing if considering the adoption of this technology?
Typically services, data and applications are located on the end user’s machine or on servers located on the business premises. Under a cloud computing arrangement, data, applications and services are situated in specialised data centres and made available to the end user via the Internet.
The US National Institute of Standards and Technology defines cloud computing as: "...a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction..."
There are three delivery models for cloud computing services:
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
In Infrastructure as a Service the cloud provider offers a range of virtualised infrastructure components such as virtual network devices, virtual storage devices and virtual servers to meet customer specifications.
Software as a Service represents a new way of delivering software. Rather than selling software that the customers have to install and configure on their computers and servers, the software is centrally hosted and made available to customers via the Internet. What makes this service attractive is that software maintenance is handled by the vendor.
With Platform as a Service, the provider offers development environments that customers use to build their own applications.
‘Going cloud’ is a business decision, not an IT one
The advantages of ‘going cloud’ for an organisation include:
- Reduced upfront costs of computer equipment;
- Flexible on-demand processing capacity;
- Collaborative capabilities;
- Reduced operational ongoing costs;
- A reduced carbon footprint; and
- Improved business continuity.
An organisation no longer needs to replace obsolete servers with new ones, greatly reducing the up-front costs and downtime. The organisation only needs to pay an ongoing fee to their cloud service provider, which in exchange supplies processing power, memory, storage space and network access.
Another great advantage of cloud computing environments is the flexible on-demand processing capacity, which makes the provisioning for new servers a simple task. If the business grows and more resources are required, the customer will simply have to acquire more resources from the provider. Most of the time, a new server can be provisioned within minutes.
The collaborative capabilities introduced by cloud computing allows businesses to explore new opportunities for interacting with their customers and business partners.
The ongoing costs of managing IT infrastructure may also be reduced as customers do not have to worry about air conditioning, power, physical security, scheduled maintenance, breakages and other related costs.
Facilitated by the more efficient use of computer hardware and the reduced requirements of air conditioning and electrical power, cloud computing also plays a very important role in reducing an organisation’s carbon footprint.
Cloud computing has great potential for healthcare operators as it enables better mobility as well as provides a solution to ensure business continuity in case of major disasters, such as floods, fire or earthquakes. However, it also introduces a number of new issues, particularly related to the sensitiveness of clinical records and their protection, which should be properly considered and addressed.
Cloud and security
Most large enterprises have their own private cloud infrastructure, but small and medium businesses looking to embrace cloud computing will have to rely on public or community clouds. These type of cloud models operate in multi-tenancy mode, meaning that a single physical server or a storage device is partitioned among various customers.
In a multi-tenant environment each customer may have different security requirements. For example, a tenant may be running a test environment that requires minimal protection while another tenant may be running a critical application handling sensitive data. There may be consequences impacting on all other tenants if the first system misbehaves or is taken over by malicious intruders.
While providers should account for such issues to provide a secure multi‑tenant environment, in reality, due to the complexity of the cloud environment these events are not always easy to detect or prevent.
Often, cloud providers may be able to offer very sophisticated approaches to security beyond the capability of many businesses. However, a customer should not take this for granted. Typically, customers and cloud providers share the responsibility of security and privacy and each cloud model implies different responsibilities for each party.
SaaS providers should be responsible for securing customers’ data and applications, while customers will have to be careful to protect their access credentials. Under SaaS, password based authentication may not be a suitable option to protect the data. Individual users may select weak passwords or may not protect their passwords adequately. Two‑factor-authentication (e.g. user name and password, plus a one-time password or digital certificate) will provide greater protection in a SaaS scenario.
PaaS providers should be responsible for isolating customers’ computing environments, while customers are responsible for securing the applications that they develop.
IaaS customers are responsible for protecting operating systems and data, while providers should ensure adequate network segmentation and proper data partitioning between customers’ systems. IaaS customers are still responsible for backing up data, implementing access control mechanisms, establishing services that should be available over the Internet, installing and maintaining software and so on.
In circumstances where the provider is responsible for backing up customers’ data (mostly SaaS or managed PaaS and IaaS) it is important to check with the vendor how long it would take to recover data in the case of a problem. This should be clearly stated in the Service Level Agreement (SLA).
A series of technical and non-technical measures should be considered to prevent providers from abusing customer data. Information stored on the cloud and travelling over the Internet should be encrypted and only the customer should know the key or password to decrypt the data.
The SLA or contract may specifically exclude provider liability regarding data protection, security and backups thus leaving customers solely responsible for the protection of their data.
Things to consider when choosing a cloud
While the customer may be able to take care of some aspects of security and data integrity, such as maintaining independent back-ups and using data encryption, other aspects of data security in a cloud based environment are outside of the customer’s control and knowledge. This includes the physical security of the data centre, virus protection, protection against external attacks and maintaining data security as it is transferred between data centres.
This underlines the importance of choosing a reputable service provider with strong data protection policies and procedures. As it would be impractical, if not impossible, for a customer to assess the provider’s compliance with data protection and security best practice, customers should rely on the provider’s current certifications, which may include ISO27001, DSD Gateway Certification, ASCI-33, the Protective Security Manual and PCI-DSS.
A very important aspect which should be carefully assessed when selecting a cloud service provider is their Service Level Agreement. This document describes the service and states priorities, responsibilities and warranties. It will state things such as the performance of the service in terms of connection speed, service uptime, allocated resources and more.
Typically a SLA states the quality of the service provided and establishes penalties if the service provided falls below an agreed level. For instance, the agreement may establish a credit on the monthly fees paid by the customer if a service availability falls below the agreed 99.0%. Note that 99% availability may sound good in the first instance, but it equates to three and a half days of downtime over a year. Also, the SLA may exclude from the calculation some types of outages such as scheduled maintenance, failure caused by third parties and so on.
Some providers may offer 100% availability not counting outages that are below a certain threshold (e.g. 30 minutes), meaning that they can have as many interruptions of 29 minutes as they wish without legally breaking the agreement.
Most SLAs provide limited liability for direct losses and exclude liability for indirect losses. They may not offer adequate compensation for the damages caused by unscheduled downtime, data loss or privacy violations.
A SLA should clearly state what would happen in the event of a security breach and it should also stipulate the obligation of the provider to inform the customer of such breach.
Some cloud providers own limited or no infrastructure and resell services provided by other vendors. These providers will pass onto their customers conditions reflected by the SLA they have in place with their suppliers. As such, their customers are unable to negotiate on these conditions.
Another issue with working with a cloud reseller is that they may change supplier without letting their customers know about it. This could have serious consequences as data may be transferred overseas without the customer even knowing it. This particularly applies to SaaS providers as they may be delivering their services through an infrastructure (IaaS) managed by another provider.
When choosing a cloud provider it is also very important to verify that the connection speed between cloud and site is adequate. Aspects such as availability, traffic throughput, latency and packet loss should be seriously evaluated. A tool to measure connectivity performance between a customer’s site and some of the most popular providers (including a few Australians) can be found at http://cloudharmony.com/speedtest.
Other risks introduced by cloud computing are related to resiliency in the case of a local disaster. A provider should replicate customers’ data across multiple data centres geographically distant to one another.
The customer should be very careful when selecting a provider by gathering customer feedback, selecting providers with proven technical competence and economic stability.
Where does a cloud live?
A very important aspect to consider when selecting a cloud provider is the location your data will be stored. Storing data overseas introduces the very serious problem of data sovereignty.
The cloud computing model is driven by economies of scale. For this reason, data may be stored in data centres located in developing countries offering cheaper labour, rent and services.
Some countries may have inadequate legislation relating to privacy and copyright. Most of the largest cloud providers reside in the US, however US legislation about privacy and data handling is significantly different from Australian regulations. For instance the US Patriot Act gives the FBI the right of accessing any data stored within the US, even if it belongs to foreign companies.
There is in fact the issue of "transborder data flows" as established by NPP 9 of the Privacy Amendment (Private Sector) Act 2000, which states that organisations thinking of transferring data offshore should seek individuals’ consent and that they need to disclose that information stored overseas may not be protected by Australian law. NPP 9 also stipulates that the organisation must take reasonable steps to ensure that data exported overseas will be handled in accordance to the Australian National Privacy Principles.
The Australian Corporations Act 2001 provides that a company keeping financial records overseas, must inform ASIC about where the records are kept.
If a data leakage or a privacy breach happens overseas, prosecuting the responsible may be a very expensive exercise. For this reason it is important that the agreement with the service provider includes a ‘choice of law’ clause which ensures that disputes are handled in Australia rather than overseas. Also, the agreement should state that Australian law will apply even if the provider resides in another country. Typically, however, agreements are developed by service providers and therefore contain clauses which play in their favour. Large corporate or government customers may be able to negotiate these terms but for small to medium businesses, the chance of negotiating a customised agreement is likely to be slim.
Jumping off the clouds
While everybody seems to be talking about joining the cloud not many discuss how to leave the cloud. As cloud computing is a very new field, it still lacks the adoption of commonly agreed on standards. Each cloud provider has its own proprietary system making it very difficult for a customer to transfer services to a different provider, or even back on-site.
Proprietary standards are often intentionally used by some vendors to ‘lock in’ a customer. A customer should ensure that the provider has a well documented process to export customer data in a vendor-neutral format before committing to it. This is particularly important in SaaS as data may have to be imported into a new software product.
Some agreements may state that the provider is entitled to delete data on cancellation of the service. The customer may be solely responsible for data retrieval which has to be organised before the termination of the service. Some providers, however, reserve the right to terminate the agreement immediately without notice in some circumstances.
Another issue that customers should consider when migrating away from a cloud provider concerns data sanitisation. How do we know that our data have been completely and properly erased from the provider’s system? Unless the storage space allocated to us has been properly overwritten, data stored on it may be recovered by the next customer who moves into ‘our’ storage space.
Is ‘going cloud’ the right option for my practice?
Contrary to what many believe, cloud does not completely eliminate the need for an IT support person and actually brings along new responsibilities which may not have been previously considered.
So before jumping on this cloud band wagon, consider very carefully all the aspects and variables involved. Costs are very relevant but they shouldn’t be the only deciding factor when ‘going cloud’.
As a guide, Figure 1 shows a comparison between an entry level physical server and a cloud based server with similar technical specifications offered by some of the leading Australian based providers. These cost estimates do not consider the cost of server and software configuration.
The scope of this cost comparison is not to establish which model is more convenient, since the variables considered fluctuate constantly, but it highlights which variables should be considered by a business when opting for the cloud.
Something else to keep in mind is that while a cloud based solution may be more expensive in the long run, the cost of a physical server has typically to be faced up-front. In the example shown in Figure 1, it would be a total of $3,909.60 plus ongoing costs.
The Australian Department of Defence established a set of guidelines for government agencies considering cloud computing. Despite the intended audience, these guidelines are also relevant for private healthcare operators due to the extremely sensitive information handled in this sector. These guidelines make the following important observations:
- Cloud computing should not be used to store highly confidential/sensitive information. The Privacy Amendment (Private Sector) Act 2000 as well as the Guidelines on Privacy in the Private Health Sector for health service providers stipulate that health records should be considered as such.
- A copy of data stored on the cloud should be kept locally or with a second fully independent provider.
- Data sanitisation, or in other words, what happens to your data when you leave the provider, as well as what procedures the provider has in place to dispose of obsolete or non-functional storage media.
- Data ownership. Do you retain legal ownership of your data, or does it belong to the vendor and may be considered an asset for sale by liquidators if the vendor declares bankruptcy?
- Data sovereignty. Where is your data physically stored? Data stored overseas may be subject to the legislation of the host country.
Practices considering cloud computing should establish a classification system based on the sensitivity of the data they handle and then perform a risk analysis to determine which data may be suitable for storage in the cloud.
Health professionals operate in many different ways depending on their specialisation, size of the business and other relevant factors. Therefore, data classification schemes should be customised to the specific organisation.
Section 4.4 of the HB 174—2003 standard Information security management — Implementation guide for the health sector establishes a scheme based on four classification levels as summarised in Figure 2.
Data classification is useful particularly to decide what data are suitable to be stored in the cloud.
Health professionals considering cloud computing should ultimately seek guidance from their representative bodies, particularly with regards to compliance with legal obligations and accreditation standards.
- SP 800-145 (Draft) "The NIST Definition of Cloud Computing (Draft) " - National Institute of Standards and Technology - U.S. Department of Commerce - January 2011
- "Cloud computing – more rain than shine?", Mark Worsman and Vanessa Hoban, PulseIT May 2009 Pag 43
- Guidelines to the national privacy principles, The Office Of the Federal Privacy Commissioner, September 2001
- Australian Corporations Act 2001 - section 289 "place where records are kept"
- The most relevant difference is that a physical server has a multi-core CPU, while the cloud server is based on a single core.
- "Cloud Computing Security Considerations" - Australian Department of Defence - http://www.dsd.gov.au/infosec/cloudsecurity.htm
- HB 174—2003 "standard Information security management - Implementation guide for the health sector", Australia Standards
IT Security Consultant
eHealth Security Services
Alberto Tinazzi is a Certified Information Systems Security Professional (CISSP). He works as an independent information security consultant specialised in the healthcare sector. He has 16 years experience as an IT professional, specialised in information management and security. He has spent the last 10 years working within the health sector covering a number of different roles within the Division of General Practice Network.
Posted in Australian eHealth