With cloud computing, sorting out pros, cons

Anne Paxton

April 2017—“No man putteth new wine into old wineskins” reads the biblical aphorism in Luke 5:36–39, which continues by giving the reason: “The new wine would burst the skins and be spilled, and the skins would perish.” Old wineskins, biblical scholars say, would typically be stretched to the limit or become brittle as wine had fermented in them.

On the subject of cloud computing versus local servers, one’s first thoughts might not relate to wineskins. But as ever more data storage and applications migrate to the Internet, the idea of data that might spill and databases that might burst by becoming unsecure—not to mention files that might perish—does resonate in the hospital world.

Across health care, cloud computing—or computing on demand via the Internet—has become pervasive. Its initial appeal has often been the huge capacity of outside data storage through file-sharing services that now include Dropbox, Google Drive, Microsoft OneDrive, or Apple iCloud. But software as a service that no longer has to be locally installed is swiftly becoming an even more important part of cloud computing.

The National Institute of Standards and Technology defines cloud service as a “pool” of configurable computing resources—networks, servers, storage, software, services—where the user generally has no control over or knowledge of the exact location of the provided services. This pool of resources is accessible by a variety of platforms and is tapped into, often automatically, based on user demand.

The primary advantage of using cloud servers is the ability to get storage and processing power as needed, which is helpful for large sets of data and cost-efficient for users, who can be charged on a pay-per-use model.

“To a certain extent, we have had what you might call ‘enterprise computing’ within hospital organizations for at least two decades, because we’ve had shared storage drives and shared back-end storage systems,” says J. Mark Tuthill, MD, division head of pathology informatics, Henry Ford Health System. But now, systems like Microsoft Active Directory or Citrix connect hospitals to many software packages and allow them to run multiple heavily used applications. Epic’s electronic health record is served through a Citrix interface, while Cerner offers a type of installation of its electronic medical record as a software service, Dr. Tuthill points out. “So you may not be installing Cerner in your data center or your hospital; you’re actually getting a secure instance of Cerner that they host in the cloud.”

“You can see how gray some of this can be,” he says. “But cloud computing is really just an Internet-enabled extension of enterprise computing, which is possible due to the low cost of storage as well as the markedly increased bandwidth that we have on the Internet now.” In fact, people use the cloud, often unknowingly, when they access anything through their browser, because the cloud is based on Internet technology.

In the past, services like file transfer protocol or secure file transfer protocol might typically be used to move large data files around. “Now we actually use business cloud services to do secure exchange of data.” Henry Ford also uses a couple of different apps to securely upload data into the cloud to companies that perform data analysis and return the data.

Dr. Tuthill’s health system has pre-credentialed cloud storage service providers to use for potential business apps by putting them through a rigorous security review, including third-party audits and a rigorous contracting process.

In molecular diagnostics, companies can use “secure Internet connectivity”—i.e. cloud computing—that allows analytics on molecular files, Dr. Tuthill says. For example, clients can upload their genetic sequences to Agilent, which will process them and return a report.

He doesn’t see this practice as standard yet. “I would say it’s an option or an opportunity, in many places. The large academic centers particularly are doing this in a very sophisticated way. They have their own internal network setup so they are really using internal enterprise computing.”

Smaller community hospitals could benefit the most from cloud services, Dr. Tuthill says. “If you don’t have the data center for storage and don’t want to hire all the people and do all the maintenance, you may want to use the cloud ahead of large institutions with massive infrastructures and much larger data needs. Some of their apps require storing tens of terabytes of data, and that’s not something you’re going to buy cheap right now on the cloud.” So he thinks smaller hospitals may be earlier adopters of cloud computing than the larger academic hospitals.

There is also the concept of a “private cloud.”

“This is software that uses Internet service but that is privatized by the way data storage is set up and how you’re secured,” he says. Henry Ford has such a storage system and considers it secure. “The rest of the world can’t get in here; it’s behind our firewall.” The key component to a private cloud is the use of “thin client” and Internet web services to carry out the communications, he says.

For next-generation sequencing data, there is no getting around it: The cloud environment is becoming essential. “One of the reasons for that is the volume of the data that needs to be analyzed and potentially the collaboration of those data sets,” Dr. Tuthill says. “In molecular diagnostics, particularly in research, you have to have a large data set, and typically that’s not going to be within one organization so people have to collaborate.”

Cloud computing has a direct relationship with what is called “grid computing.”

“Grid computing actually leverages the power of hundreds of thousands of computers to do analysis as opposed to a single desktop or single server or even a set of servers in your organization. And this allows you to achieve things like ‘big data’ computations.” As one example, NASA has set up cloud programs in which people can volunteer their computers at night while they’re asleep, allowing the computers to help NASA solve astrophysics problems.

“Cancer analysis and genome sequencing analysis could leverage this type of technology as well,” Dr. Tuthill notes. “Having 10,000 computers all working on a problem together is obviously strong computational power.”

Some relatively small LIS vendors have started to provide LIS services from the cloud, but the large companies, except for Cerner, still use the classic client-server model, Dr. Tuthill says. One reason is that tying into physical devices like instruments and printers is more difficult in cloud environments. But he thinks the pattern will change in 10 or 15 years. “You will likely see most people running their labs hosted in a data center with shared resources. That’s largely because of the huge maintenance cost. If your LIS vendor is going to update your LIS and they can do that in one place, versus on five different servers, making them touch all your workstations, you have eliminated a tremendous amount of maintenance.”

Cloud computing can also help laboratories automate their workflow or improve other lab processes, depending on how the software is built. “I think it can really get down to the level of interfacing instruments into it. You’re going to see a lot more vendors take their platforms into cloud services with ‘software as a service.’ If you look at other industries, you’re just seeing this in spades from people who offer customer relationship management tools that are hosted solutions. Our outreach portal is really ‘software as a service’; it uses cloud technology to help us service our outreach customers.”

Fears about security may or may not be overblown, Dr. Tuthill says. “On the one hand, if you are using the cloud to store things and it’s fully secure, and your company follows best practices, you’ve got a wrapper around your data. It’s better than using notebooks or thumb drives, which get lost, and you end up in the newspaper for HIPAA violations. So a network securing your data, and providing people access to it through cloud computing technology, has inherent advantages.” The ability of companies like Amazon and IBM to back up their data and ensure there are no viruses is inherently more maintainable and less expensive than what hospitals may have in their data centers, he adds.

But an inherent risk of using cloud services is that you may expose yourself to malfeasance on the part of the employees of the cloud company. “If you have a bad actor who decides they want to screw up your health system, they could do something to hack you or break you. Frankly, those are risks we face inside our own organization as well. But it does start to require a lot more effort in terms of security review when you step outside your firewalls.”

When vetting a company, Dr. Tuthill always asks if they have had their facility reviewed by a security analysis firm, and how they get assurances about their employees’ reliability. “The large cloud services, most of them, have ensured that data is encrypted to nonusers of the information. But somebody can always break through the security glass if you become complacent.”

Reducing capital investment in information technology is a clear advantage of the cloud, Dr. Tuthill says. On the flip side, there are privacy and security issues to take into account. “The patient doesn’t usually ask us, ‘Where are your records hosted?’ And we don’t ask, ‘Do you mind if we store your data in our data center?’ It’s just not a big part of the conversation.”

For most such questions, HIPAA privacy regulations step in as the patient’s proxy. “And the HIPAA rules have gotten a lot more stringent as of 2013. We have had to recertify all of our vendors for the new HIPAA rules, but that’s partly driven by the desire to protect the patient’s interest.” Meanwhile, ironically, patients surf to online health charts on Amazon and Google and blithely fill in the blanks. “Some patients have no compunction about putting all of their information into a cloud program like that; others may not.”

Some diagnostic disorders like HIV or unique genetic diseases pose a special risk, Dr. Tuthill says, if a patient could be identified, though he’s never seen such a thing happen. “That said, we’re very careful. We have our patient portal, which we’re required to provide by the HITECH Act, so patients can view their lab results, schedule appointments, and communicate with their doctor, and we have excluded some lab results such as HIV and sexually transmitted disease results from going into that portal.”

Until recently, all anatomic pathology results were also excluded from the patient portal at Henry Ford. “This was because we did not want to have patients’ first notice of a cancer diagnosis in the form of a message in their portal. But we have reversed course on that and are taking a less paternalistic approach. We basically say the doctor should be in touch with the patient and release the diagnosis within three days. This was driven in part by patients’ requests as much as law.”

In short, he views less expense and greater security as the basic benefits of the cloud. “If you just look at the consumer model, if you can get a terabyte of storage from Amazon Web Services for $250 a year, it may sound expensive. But it’s not expensive when the hard drive at home crashes and you’ve just lost a collection of family pictures from the last 15 years. I do think the cloud will be a much more cost-effective approach for everybody, not just industry, and not just in health care.”

Physician informaticist Alexis B. Carter, MD, on the other hand, is far less sanguine about cloud computing. While cloud services have distinct advantages, laboratory directors should know that the security and privacy risks are substantial, and every available form of mitigating those risks has limits, she says. For her, these downsides are a deal-breaker. “I don’t use the cloud if I can possibly avoid it,” says Dr. Carter, of the Department of Pathology and Laboratory Medicine at Children’s Healthcare of Atlanta.