Slides from June 19th HC3 Kickoff meeting
HC3 Overview Adam Greene
What is the Cloud? Hemant Pathak
The Disruptive Cloud Anish Sebastian
The Practical Cloud Pete Celano
4. @HCCCoalition #HC3
Agenda
8:30am Networking breakfast (sponsored by Davis Wright Tremaine LLP)
9:00am HC3 Overview Adam Greene
9:30am What is the Cloud? Hemant Pathak
10:00am The Disruptive Cloud Anish Sebastian
10:20am The Practical Cloud Pete Celano
10:40am Panel Discussion & QA Moderated by Shahid Shah
(Hemant Pathak, Chad Kissinger, Sandeep Pulim, Adam Greene)
11:30am HC3 Wrap up Adam Greene
Noon End
9. @HCCCoalition #HC3
The Challenges
Where health care
entities leverage cloud
computing, there are too
many inefficiencies:
A sea of different information
security questionnaires
Confusion and disagreement
over business associate
agreement terms
Confusion over information
security responsibilities
10. @HCCCoalition #HC3
The Challenges
A lack of HHS
guidance on how
HIPAA applies to
cloud computing:
What if cloud vendor was
unaware it was hosting PHI for a
covered entity?
No guidance or audit protocols
specific to business associates
How to handle patients rights
and breaches when you may not
know what information you have
12. @HCCCoalition #HC3
The Mission of HC3
Reduce obstacles to the health care sector
leveraging cloud computing technology.
Promote innovation by reducing health care
compliance burdens on health care technology
companies.
15. @HCCCoalition #HC3
The Objectives of HC3
Develop
tools,
such as:
Sample business associate agreement
provisions, to address unique cloud
computing issues
Notices that clearly identify each party’s
security responsibilities
A self-audit protocol for cloud computing
providers
16. @HCCCoalition #HC3
The Objectives of HC3
Work with health care providers and other
associations (e.g., HIMSS, Cloud Security
Alliance) to obtain feedback and promote
the tools and guidance.
17. @HCCCoalition #HC3
The Objectives of HC3
2. Trust – Build trust in cloud computing and
regulatory compliance through an accepted
accreditation/certification process or other
programs.
18. @HCCCoalition #HC3
The Objectives of HC3
Certification
needs to be:
Focused on health care (e.g., HIPAA,
Alcohol and Substance Abuse
Treatment Confidentiality)
Focused on cloud computing
Scalable (e.g., works for both large IaaS
provider and small SaaS provider that
does not host its own data)
19. @HCCCoalition #HC3
The Objectives of HC3
Not looking to reinvent the wheel.
Adopt and promote any existing or upcoming
certifications/accreditations that meet our needs.
Tweak any existing certifications/accreditations
that get us 90% of the way there.
20. @HCCCoalition #HC3
The Objectives of HC3
3. Government Outreach – Seek regulatory
guidance from HHS and other relevant
agencies. Maintain outreach and
transparency with the government.
22. @HCCCoalition #HC3
Next Steps?
Learn from others today about the benefits and
challenges of cloud computing in health care.
Discuss the scope of what HC3 will initially
take on.
Incorporate and set up structure for
membership dues.
Volunteers
23. Health Care Cloud Coalition
Legal considerations with cloud
computing
A View From The Cloud Vendor.
Insight on the HIPAA Omnibus Rule,
Cloud Privacy & Security, and HIPAA
Enforcement
Hemant Pathak, Assistant General Counsel, Microsoft
24. @HCCCoalition #HC3
What are the types of cloud model we
are going to discuss today?
Enterprise Cloud
Three types of cloud services: SaaS, PaaS, IaaS
Public, Private, Hybrid
Always available
Per user, consumption buying model
Data and services with a common delivery model in
shared data centers
Different from traditional “outsourcing”
25. @HCCCoalition #HC3
Why do customers choose cloud
services?
On demand scalability, reliability and flexibility of
computing resources, updates, interoperability and tech
support
Reduction of infrastructure costs & complexities at very
large economies of scale across the board (electricity,
network bandwidth, operations, SW & HW).
Organizations can “get out” of the Data Center business
The right vendor can address state of the art security &
privacy protocols to help customers address their
compliance requirements in a highly regulated industry
26. @HCCCoalition #HC3
From the cloud service provider (CSP) perspective
– what are contracting expectations?
Cloud services are configurable, but generally not
customizable
SLA, Service Descriptions, Security Descriptions
Contract terms that require unique requirements for
service for one individual subscriber are not scalable
Pre-Sales CSP & customer partnership and due
diligence on contract terms and solution alignment
reduces risk now and in the future for both parties
Ensure compliance with laws and corporate policies
Protect brand and reputation for both parties
27. @HCCCoalition #HC3
From the customer perspective – what
are contracting expectations?
Where and how is data stored?
Clear data maps and geographic boundary information Data
must be encrypted wherever possible
Who has access and what is accessed?
Core customer data must be accessed only for service
delivery, troubleshooting, migration and malware prevention
purposes on an exception basis and all access should be
logged
Who owns data?
The Customer. Data must be fully portable and retrievable
Who pays for costs related to security breaches?
Commercial term addressed by the parties
28. @HCCCoalition #HC3
Security & Privacy – How do you get
assurances?
Security
Physical Data Center standards
Secure Networks
Automated operations
Robust breach prevention, detection and mitigation
Compliance -Cloud Service Providers (CSP) should address
regulatory standards
E.g. - ISO 27001, HIPAA BAA
Federal Trade Commission
Watchdog groups
Healthcare agencies
DHHS
Independent Audit & Verification
29. @HCCCoalition #HC3
What are questions Customers ask a
potential CSP?
Security & Privacy Compliance
Does the cloud vendor offer a BAA
Does the BAA contain all required HIPAA terms
Does the CSP stipulate to comply with breach notification rule, timely reporting,
appropriate and transparent limitations on use & disclosure and “minimum
necessary”
Embedded technical, physical and administrative safeguards in support of HIPAA
Data mining – will my cloud provider use my data for advertising, marketing or
other commercial purpose w/o my consent
Does CSP have transparent and robust process on addressing third party
requests for data?
Clinical centered care strategies
Compliance across collaboration modes through audio, video & messaging
HealthCare Enterprise Ready
30. @HCCCoalition #HC3
What are consequences of non-
compliance?
Phoenix Cardiac Surgery
Fined $100,000 by DHHS for failure to obtain a BAA
“Covered Entity failed to obtain satisfactory assurances in business
associates agreements from the Internet-based calendar and from the
Internet-based public email providers that these entities would appropriately
safeguard the ePHI received from Covered Entity.”
Oregon Health & Science University
Negative PR stemming from breach involving storing a spreadsheet of
patient data with cloud service which was not a business associate.
DHHS Regulator Quotes
“If you use a cloud service, it should be your business associate. If they
refuse to sign a business associate agreement, don't use the cloud service.”
“…cloud services [are] under direct regulations of HIPAA…,"
31. @HCCCoalition #HC3
Conclusion
Health Care Providers moving to the cloud want to
choose a CSP that has been proven trustworthy and that
they can trust.
Transparency about compliance, security and privacy
practices and use of data is the key to trust.
Transparency allows customers to determine whether
using a given cloud offering helps them to be compliant
with applicable regulations and corporate policy.
37. @HCCCoalition #HC3
Ease of Use
Deploy infrastructure quickly
with no need for system
admin
No cabling, racking,
unboxing or buying
Software now controls the
infrastructure
Control your servers with
the click of a mouse
39. @HCCCoalition #HC3
Scalability
Can adjust to min by min
variation in demand
Nothing to purchase and
take delivery
Increase innovation, by
removing “too scared to try”
syndrome
Go global in a matter of
seconds (co-location)
40. @HCCCoalition #HC3
Risk and Reliability
Cancel immediately
Change instantly, even OS
Rebuilt instantly
No long term contracts
Based on enterprise grade
hardware
Employ best practices in IT:
Design for failure
Control framework
Disaster recovery
41. @HCCCoalition #HC3
Cost
Pay for only what you use –
nothing up front and pay as you
go
Zero cap Ex = lower burn rate =
happy investors!
Cloud has economies of scale,
business model based on
volume not margin
Since we started using amazon,
prices have gone down
42. @HCCCoalition #HC3
Security
Architected for enterprise security
requirements
More than likely more secure than
what you can normally build
yourself
AWS White paper on HIPPA
Ability to quickly fix security holes
and keep up with new compliance
standards.
43. @HCCCoalition #HC3
Being an “aaS”
SaaS – Software as a Service
PaaS – Platform as a Service
IaaS – Infrastructure as a Service
46. @HCCCoalition #HC3
The cloud Pyramid
Google Apps, Heroku,
Salesforce
Windows Azure
SendGrid, Mailchip, Twilllio
Zendesk, ……..a lot more
Amazon, Racksapce
47. @HCCCoalition #HC3
The cloud Pyramid – Applications long
tail effect.
• The long tail
is directly an
impact of the
cloud.
• They all talk
to each
other.
48. @HCCCoalition #HC3
Connectivity
This long tail of products
connect to the cloud via API
It has fueled a new era of API
Allows for various SaaS
companies to stitch together a
whole series of services
generally via API
Everything is connected to
everyone
49. @HCCCoalition #HC3
Differentiation
Bottom Line:
The cloud allows you to focus on what
truly makes you different
Let’s you outsource commoditized
services and services that are not your
core competencies.
55. @HCCCoalition #HC3
5-Step Process
1. What problem are we trying to solve, and RoI?
2. Balance Sheet Test
3. Our BAA
4. Pilot Fast
5. Take it Wide if Pilot Works & Economics are Verified
56. @HCCCoalition #HC3
Five Predictions
1. Only more inventors will run-not-walk to
healthcare
2. EMR vendors will be acquiring right & left in 2015
and beyond
3. Solutions will start breaking Provider-only and
Provider-Payer (“Provayer?”)
4. Virtual Visits will take off like a rocket
5. Apple’s HealthKit et al will finally make Remote
Patient Monitoring relevant.
57. Panel Discussion and Q&A
10:40AM – 11:30AM
• Hemant Pathak (Microsoft)
• Chad Kissinger (OnRamp)
• Sandeep Pulim (@Point of Care 360)
• Adam Greene (Davis Wright Tremaine LLP)
- Moderated by Shahid Shah, Netspective
Notas do Editor
(1) Hi good morning everyone, my name is Anish Sebastian I am one of the founders of a start up called 1EQ – we are startup focused on improving pre-natal care.
(2) But I am not here to talk about my startup, I am here today to talk about how disruptive the cloud can be especially for startup’s like myself.
(3) I think the end that I am going to drive toward is that while the cloud truly is disruptive, it does signify a new era when it comes to privacy and compliance.
(1) Ok, everyone talk about the cloud. Its probably one of the most cliched term these days.
(2) Its now gone passed that stage of being an cartoon on a meme which means it is now officially mainstream.
So why ? Why is the cloud so powerful ? Why is it so disruptive to every industry and especially.
Well most technologies to be called disruptive – have to at least provide 10X improvement and cloud certainly shows that.
I bucket them into these categories -
I think this the most simples way to get across the ease of use point.
Normally, without a cloud based/ virtualized technology – I’d be doing that on the left hand side (clearly not enticing)
Now with a sign in and with very little training, I am up and running.
Generally contracts are on an as needed basis and can be cancelled as demand goes down
Linux, Windows - deploy in any server technology
With the ability to create virtual environment you can compartmentalize the entire thing, in other words