It seems like everywhere you look these days, health care IT vendors are touting cloud computing. As the term “cloud computing” is very loosely defined in the IT industry, let alone the medical industry, these vendors are using it to market all sorts of hosted solutions from remote storage to more complex application hosting. Historically, these solutions were called application service provider (ASP) solutions. This is really nothing new other than rebranding to match IT terminology that exists today. If you went to the HIMSS or even the RSNA conference about 10 years ago, there was a whole host of small ASP companies at these shows. In the end, a lot of these failed due to high costs, inability to provide sufficient bandwidth to deliver data quickly, too much competition, large IT or imaging vendors taking over the marketplace, etc. Some of these small ASP solutions did survive alongside similar solutions from larger vendors to become today’s cloud computing solutions.

True cloud computing merely involves providing hosted applications or hardware/infrastructure—such as servers or storage—via the Internet. An easy way to understand cloud computing is to look at an example. Companies like IBM, Google, and Amazon have thousands of servers that are needed to support their operations during their peak usage times, but for a lot of the time much of this computing power sits idle. For example, think of all the server traffic that Amazon has around the holidays but is not using during the summer months. Rather than waste all this computing power, these companies offer access to their excess capacity for potentially cheaper costs than what organizations could install and support those servers for on their own. Thus, the organization may be able to access a lot of computing power or storage for a low cost and with no resources needed on their end to support the hardware. The cloud provider also makes out because they have excess capacity that they are already paying for, so if they can make money on it then it cuts their losses or they can take advantage of tremendous economies of scale. Certainly, this is a simplified example, but it helps to illustrate how cloud computing works.

Advantages of the Cloud

Today, cloud computing can be loosely categorized into three divisions—public clouds, private clouds, and hybrid clouds. Public clouds—as described in the last paragraph—are hosted applications or hardware offered publicly via the Internet. Private clouds are the other extreme. These are single-entity-supported clouds that sit behind a firewall and are not available to the public. Thus, a health care system could essentially use some of the same technologies employed by public cloud providers but use these technologies to host all the different applications that are used within the health care system. Again, this is not something that is new, as hospitals have been using technologies such as virtualization and enterprise archives for some time now. Finally, hybrid clouds involve a hospital managing some hardware or applications on their own and using an external vendor to host other hardware or applications. For instance, a hospital may manage its own applications but use an external third party for its long-term data archiving.

Cloud computing can potentially offer some significant advantages. Hospitals with limited IT resources can take advantage of resources from a third party to maintain and manage hardware or applications. Costs may be lower because a hospital only pays for what it is using in the cloud and does not have a lot of hardware sitting idle or underutilized (this is a primary advantage for private clouds). Clouds offer instant scalability. If a hospital needs more server or storage space, this is readily accessible via the cloud provider. Cloud providers refresh their hardware regularly so hospitals with limited capital funds and/or resources do not have to struggle with continual hardware upgrades. In addition, clouds may offer some additional redundancy not available via an in-house solution. For example, if a single hospital wants to store data in multiple geographic locations for disaster recovery purposes, clouds can offer this capability.

Data Security

This all sounds great until you try to deal with medical data, which offers its own unique challenges. If you want to push your hospital’s data to the cloud, for example, then it is easy to do from a technical standpoint—but the data is no longer under your control. These servers could be located anywhere across the country, and you do not necessarily know where the provider stores the data. For HIPAA regulations, how do you ensure that data privacy and integrity are met? To get the most benefit out of cloud computing you would truly have to submit your data to the cloud, which means sacrificing some of the security controls that you can put in place when you own and control your own hardware. Certainly the cloud providers have put privacy and security measures into place to protect the data. Nevertheless, any time data leaves a controlled environment there is always some level of risk. There is always the question of how easy would it be to retrieve the data in the case where a hospital severs its relationship with a cloud provider or even in the case where there is a need to immediately retrieve a lot of data quickly (eg, in the case where an in-house archive may be rendered inoperable) where bandwidth limitations may impact data accessibility.

For most of the vendors offering cloud computing solutions today, what they are really offering is what they have offered all along. They have their own data center(s) with a large pool of storage, servers, and potential applications. You contract with them on a per study, per access, per MB or GB of storage basis, and pay for the hardware or application usage as you go. They typically set up some hardware at the hospital to allow for a secure connection to their data center, and they then manage everything beyond that point. Because they are a single entity and control all the hardware, they can then partition that hardware to control where your data goes. They also can set up tighter controls to address HIPAA concerns.

As has always been the case, sometimes these solutions make sense for a hospital and sometimes they do not. The trick is to evaluate more than costs. Otherwise, today’s cloud may turn into tomorrow’s storm.

Ken Olbrish, MS, is an enterprise imaging system administrator in the Information Services Department for the Main Line Health System, suburban Philadelphia, and is a member of 24×7’s editorial advisory board. For more information, contact .