The medical industry requires the constant availability of data applying to both patients and staff at all times. The existence of paper-based files results in inefficiencies in the organisation and the failure of servers can lead to complete unavailability of vital data. The cloud enables data to be readily available, more secure from possible cyber-attacks and provide a sustainable platform to ensure continuous testing of disaster recovery strategies.
The proposed solution will be to transfer all existing files and data to the cloud supported by the key advantages that cloud storage can offer Cork University Hospital. The report evaluates the benefits that cloud storage brings to organisations like CUH and provides an adequate recommendation that CUH should implement to their existing system.
2.2 Introduction
In 2016 Cork University Hospital had 3,269 employees, over 200,0000 out-patient attendances, over 45,000 inpatient discharges and 80,938-day cases. The maternity services had 7638 births and 90,453 outpatient attendances. Each patient that enters the hospital is assigned a paper-based file where all information regarding the health of the patient and medical history is stored. The management of these staff and patient records is becoming an issue. Mainly, problems with storage, maintaining the integrity of records, methods of accessing and transferring records and the physical location of records. Security is a core issue in this recommendation which will be discussed at length throughout this report given the sensitivity of the data at risk and the imminent implementation of the new GDPR legislation. [17]
Cloud services offers a more cost-efficient method of IT service implementation. The large inflow of highly sensitive information into CUH implies there must be a robust storage system in operation and one that eliminates excess spending of IT maintenance and upgrades. Large scale hospitals should be able to quickly respond to pressing problems regarding patient and staff information, and a case should be made for the necessity of business-critical software in addressing these issues. Adopting a corporate mindset to managing these issues regarding expansion, storage and data protection should be in the minds of CUH executives when making strategic decisions to align with the goal of an improved patient experience.
The demand for addressing the issues above is affecting the hospital and within specific departments such as, the dental hospital in CUH. After speaking with a member of staff we were able to gain a further insight into this issue and the database system that is currently in use:
• Paper-based records.
• Recent record storage in both main receptions.
• Archived record storage in Basement. (Up to 2012)
• Older record storage stored off-site.
• Patient information and appointment information stored in a database which can be queried and changed by staff.
• No further record of medical information regarding patient outside of file.
• Location of patient records can be disastrous as each time a chart is moved around the hospital it must be electronically signed out to where it is going and electronically signed out to whatever location it goes to next, etc.
• Theoretically this should work relatively robustly but the procedure is prone to human error. This can lead to the temporary or permanent loss of files which means if urgency is a variable (which it often is) and the situation demands an immediate record of patient medical history, there could be serious consequences.
We would recommend the movement of both staff and patient record databases to the cloud and our justification will consist of the areas that we feel are relevant to assess beginning with scalability.
2.3 Requirements Assessment and Recommendations
2.3.1 Scalability
Cloud storage enables access to unlimited amounts of storage which can grow or shrink to fit any organisation. If CUH were to adopt cloud storage there would no longer be a need for purchasing expensive new hardware and software when user loads expand. Instead capacity would add and subtract as the system requires it. This would be very advantageous for CUH. As was mentioned in the introduction, there is a vast amount of data that passes through the hospital everyday which would imply the use of a large database and a large amount of data. This data inflow will continue to grow each year as the population grows and CUH will run into avoidable expenses if cloud storage is not adopted. The scalability that cloud storage would offer any health organisation is notable and considering the flexibility in altering storage depending on demand (sizable population growth can occur in areas and life expectancy continues to grow). The scalability of cloud storage is therefore something CUH can significantly benefit from in terms of future costs, flexibility and changes in existing IT systems.
2.3.1 Maintenance
Maintenance is considered one of cloud computing’s most powerful features, providing “enhanced and simplified IT management and maintenance capabilities through central administration of resources, vendor managed infrastructure and SLA backed agreements” [1]
This eliminates the need for IT infrastructure upgrades and maintenance costs because all resources are now kept by the service provider.
CUH will be further enabled by a simple web-based interface for software access, application and services. This is possible without the otherwise necessity of installation. Service Level Agreements serve as the blueprint and warranty of cloud computing services, they guarantee a level of excellence in the service delivery, management and maintenance of IT services.
“With a managed service platform, cloud computing is much more reliable and consistent than in-house IT infrastructure. Most providers offer a Service Level Agreement which guarantees 24/7/365 and 99.99% availability. Your organization can benefit from a massive pool of redundant IT resources.” —Biren Shukla, CEO, Levelcloud [2]
Many professionals agree that in terms of reliability and consistency cloud computing (with an MSP such as SolarWinds) is more satisfactory than that of in-house IT infrastructure and data access is enabled continuously. When urgency becomes an issue, which is often the case in hospitals CUH will be able to rely on server outages being managed proficiently and as minimally as possible. Effective healthcare can be therefore enabled as much as possible with a minimum margin for extraneous error.
2.3.3 Backup and Recovery
Backup and recovery becomes much simpler when cloud services are integrated into an organisation in comparison with storage on a physical server. Amazon S3 web services, for example offer very competitive backup and storage capabilities. The power of cloud backup and recovery has been harnessed by the majority in the corporate industry and should be considered for an organisation like CUH especially with its size.
“As the Cloud has no singular physical location, remote access is also a simple and feasible be
nefit to online backup. So long as you can connect to the remo
te server, you have access to all the data that you have stored in the Cloud, without having to do anything differently.” [3]
CUH also holds large amounts of highly sensitive data. For example, although CUH holds personal information about patients it also holds very sensitive medical information i.e. aids patients. The security of this information is of paramount importance to both the patient and the hospital (with GDPR becoming compulsory in 2018). This reiterates the need for the more effective backup and recovery approach that cloud enables.
2.3.4 Sustainability
Cloud-based solutions have been praised for their environmental friendliness, compared to underutilized and inefficient on-premise solutions. Cloud infrastructure addresses two critical elements of a green IT approach: energy efficiency and resource efficiency. Whether done in a private or public cloud configuration, such solutions will be greener solutions. Due to the harnessing of virtualization technology, from a resource-efficiency perspective, less equipment is needed to run workloads, which proactively reduces data center space and the eventual e-waste footprint. From an energy-efficiency perspective, with less physical equipment plugged in, a data center will consume less electricity. Combined with the right skills and operational and architectural standards, automation allows IT professionals to make the most of their cloud-based infrastructure investment by pushing the limits of traditional consolidation and utilization ratios. The benefit of multitenancy allows many different organizations (public cloud) or many different business units within the same organization (private cloud) to benefit from a common cloud-based infrastructure. By combining demand patterns across many organizations and business units, the peaks and troughs of compute requirements flatten out. Combined with automation, the ratio between peak and average loads becomes smaller, which in turn reduces the need for extra infrastructure. The result: massive efficiencies and economies of scale in energy use and infrastructure resources. [4]
2.3.5 Cost Efficiency
Cost-efficiency when deciding between the Cloud and on-premise data storage has often been compared to the rent vs. buy determination. With the cost of hardware, power consumption and physical space needed to implement on-premise storage, the Cloud is far less of an initial financial investment. With a cloud service provider, server maintenance and upgrade costs fall on the service provider—not the organisation availing of the service. With on-site management, having no data manager requires calling in a technician at an additional cost for hardware installation [5]. When comparing costs, however, CUH must also consider utilization, which is a key parameter. On the public cloud, you pay only for what you use. When you build your own server, you pay for it all the time—whether it’s busy or not. This is where CUH may benefit from using cloud services. Retaining and upgrading current systems may create overheads that are unnecessary. For the reasons mentioned above, increasing cost efficiency by migrating to the cloud will be a welcomed motion.
2.3.6 Security and Privacy
Information security in relation to health records is of key importance. Due to the highly sensitive nature of this information it is imperative that the data controller (CUH) and the processors (cloud service provider) of such information have the same goals when it comes to security and compliance. As the EU General Data Protection Regulation comes into effect this year, it may be a good time for CUH to move to the cloud. However, this comes with its risks – some CSP’s may not proactively work to become GDPR compliant, which may only come to the surface post-breach. On the other hand, many CSP processors will understand their obligations under the GDPR and adapt and amend their services, contracts and background processes accordingly. Those that get on top of understanding the importance of compliance and the basis of that compliance will be able to distinguish themselves in the market [6]. This is where CUH will need to seek the CSP that provides the most effective compliance strategy. Once a successful tendering process has been completed, CUH will be partnered with an optimal solution for cloud services that services both organisation-critical and patient-critical needs.
2.3.7 Vulnerability to Attack
With a GDPR compliant cloud service provider (CSP) in place, CUH should never assume that the service being provided to them is an impenetrable solution. Worst-case scenario procedures will need to be at the ready, regardless of the level of compliance/security the CSP promises. Unless there is complete transparency of the CSP’s operations, CUH will not be able to verify the security posture of a CSP. In the process of choosing a CSP, CUH will need to ensure that relevant security intelligence platforms are being used to monitor network traffic both on site at CUH and at the remote cloud locations. Lack of this will reduce the visibility of possible threats that may wish to compromise the personal data of the organisation’s patient body. The necessity for such threat intelligence will become increasingly prevalent in 2018 as GDPR article 33 requires all data controllers to notify of a data breach no later than 72 hours after they become aware of it. A CSP that also offers managed security services of its client’s networks will prove to be a successful candidate for the migration, as reaction to threats will be faster than those that do not offer such a service.
2.3.8 Upskilling
Most of the changes made by upgrading to the cloud will not necessarily be visible to workers/patients. The general user interface should, in most cases, remain the same. This is an advantage to cloud migration as users will not face huge changes in day-to-day use of their systems. The data is solely being stored in a different manner. It would be beneficial to upskill employees with the goal to improve organisational culture surrounding data security, specifically surrounding data leakage prevention (DLP). Setting a goal such as to become ISO 27001 compliant in conjunction with moving to the cloud will improve CUH’s security stance across the entire organisation. This will be seen as a major advantage by patients, who will know that the hospital follows standardized policies to protect their most sensitive personal information. To implement this, training programs will need to be held for all employees, organised by subject matter experts in information security best practices and procedures.
2.4 Cloud Backup
Cloud backup, or online backup, is a technology that involves sending a copy of your data to an offsite vendor. This keeps the data secure and accessible in real time. Cloud backup is becoming a popular alternative to traditional data backup and recovery storage media, such as tape and disk.
There are a number of benefits to cloud storage. One of these is that the data is being stored off-site, so if the system crashes, the data isn’t lost. This would be of huge benefit for a hospital like CUH, where the maintaining of patient data is paramount. A cloud backup solution can automatically back up all your folders, files and research continuously. Cloud data storage options have become more popular in healthcare over the past several years as the general stigma of hosting data off-premise has worn off [7]. As organizations adopt mobile applications, storing clinical data in the cloud gives users more complete access across all devices.
Hospital records are highly confidential, requiring the backup to be secure. A cloud backup solution would allow for advanced encryption at every step to protect the data. This would be of great benefit to CUH, as they would kno
w that all data being backed up would be s
ecure. By storing their backup on the cloud, it would be stored in a secure data centre. This security is both through the encryption and through physical security. Attributes of physical security includes climate control, backup power generators, CCTV and security guards.
Another benefit of cloud backup services is the scalability of content storage. The cost of buying more storage is less than that of buying physical storage capacity [8]. There has been a large jump in CT, X-Ray and MRI scans in hospitals around the world, and these high bandwidth items need to be stored somewhere. When faced with this mountain of data that is constantly growing, larger hospitals like CUH will need backup options that can handle data in the terabytes or petabytes. The scalability of a cloud backup solution allows for extra space to be purchased easily [9].
There are some drawbacks to cloud backup. As the backup is based on the cloud, an internet service interruption could cripple an entire organization from restoring essential data. Cloud providers can also limit the amount of control IT workers have over the management and maintenance of the cloud [10]. Another potential drawback is that cloud storage is dependent on the speed of the network, so if the network speed was slow, it could take a long time to back up critical data, which would have a negative impact on the system.
2.5 Cloud Archiving
Cloud archiving is a storage as a service which Cork University Hospital can implement to ensure long-term data retention. The archive processes the sensitive data of individuals and staff that is infrequently accessed and optimised for security and compliance with various data regulation policies. In comparison to storing large volumes of nonessential data in-house, storing archived data in the cloud is a cost-effective alternative. Storing data in the cloud alleviates the necessity for purchasing and monitoring on premises hardware systems such as disks and tapes. This archived data rarely needs to be accessed from the cloud, which could often be time-consuming and expensive to Cork University Hospital. [11]
The cloud offers a clever alternative to the traditional on-premises tape, which is frequently selected as the hardware of choice for long-term data retention. The clouds advantage is geographical redundancy that migrates the risk of data loss from tape failures, enhanced search capabilities and the elimination of costs from technology refreshes. [1] Tapes remain the main hardware device for in-house archiving, however, they may be less reliable in the long term if not managed correctly. Cloud archiving stores data more securely and reliably, which is of utmost importance to the data of CUH.
We recommend implementing the cloud archiving vendor Mimecast, who tailor specifically for healthcare organisations to archive email and files. Mimecast provides the healthcare industry with the only comprehensive all-in-one cloud archiving service, integrating a highly secure data repository and a built-in data recovery. Providing a cost-effective cloud storage service with reduced complexity during migration. [12]
Mimecast offers crucial security to protect CUH from cyberattacks with a single cloud security solution, utilised both on the cloud or on-premises email management system with multiple layers of malware protection. Mimecast provides business continuity in the event of a server failure as employees can get uninterrupted access to live and historic email and attachments from the Mimecast Cloud. Administrators and employees have guaranteed access to their email from any device, anywhere without expensive hardware. [12]
2.6 Disaster Recovery
Disaster recovery is a process you can implement to recover information systems and data in the event of a disaster. Disasters can be either man-made such as a fire or technical such as a two-disk failure in a redundant array of independent disks (RAID) 5 array. If Cork University Hospital are considering transferring both their staff and patient records to the cloud, this would require a complete implementation of a disaster recovery plan. The planning involves the correct selection of a strategy to aid recover valuable data applying to both staff and patients. The selection of the appropriate disaster recovery strategy depends on the business requirements of Cork University Hospital.
Cloud back-up is an approach for backing up data that involves transferring data from the typical off-site service to a managed online service provider for protection. Disaster recovery as a service (DRaaS) provides Cork University Hospital with a cheaper, easily deployable and a more regularly tested back-up over traditional off-site services. Cloud services enable cost savings for CUH as it runs on shared infrastructure, providing more flexibility as they can register for just the services they require. DR testing can be performed by simply spinning up temporary instances. [13]
When selecting an appropriate disaster recovery strategy, it is important to consider the following factors:
2.6.1 Recovery Point Objective and Recovery Time Objective
Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are the most critical parameters of a disaster recovery. These objectives provide a guideline for administrators to select the appropriate disaster recovery strategies, technologies and procedures.
Recovery Point Objective (RPO) is the maximum age of data that an organisation must recover from backup storage to enable normal operations to resume after a disaster. Thus, reducing the number of backups required.
Recovery Time Objective (RTO) is the maximum duration of time after a disaster, for an organisation to recover data from backup storage to resume regular operations. Reducing RTO time involves positioning secondary data, so it can be easily accessible in the event of a disaster. [13]
2.6.2 Planning and Strategy
Planning a disaster recovery strategy minimises the negative effects to an organization’s operations for recovering disrupted systems and networks. A risk assessment can be performed to analyse applications and data. This enables the organisation to prioritize the most important and crucial facets of the organisation that they can’t afford to lose. The individuals that should be involved in a risk assessment include:
• An accountant to quantify the risk numerically with relevant probabilities multiplied by the expected impact.
• Database administrator and technical people in the department.
• All heads of department that will be directly impacted by a disaster.
Mitigation cost identifies how much It will cost to prevent a disaster occurring. If the cost of fixing is greater than the cost to stop it occurring (mitigation), the organisation should not implement it. The organisation should rank each risk in order and begin implementing at the top.
– Cost of Risk X Probability = Impact
2.6.3 Disaster Recovery Testing
Disaster recovery testing provides a framework for organizations to ensure they can adequately recover data, resume regular operations quickly and provide sustainable business continuity for the future. DR testing is often overlooked in organizations as creating a plan for disaster recovery can tie up additional resources, this is a viable solution once created that does not require ongoing testing. Tests provide an organisation with a basis to identify problems or areas that require improvements or replacement if necessary. Communications, data recovery and applications are typically a focus of all disaster recovery testing. DR tests should be performed regularly throughout the year and should be incorporat
ed into all planned maintenance. Audit logs can be analysed furthe
rmore to determine what worked as expected, what didn’t work as expected, what changes are required and what tasks need to be re-tested. [14]
CUH should consider virtualization as their disaster recovery solution. Virtualization is a critical component of a DR plan which improves flexibility by reducing downtime, computing resources and reducing cost. Virtualization provides replication of data for the entire data centre, which can be accessed easily and efficiently if necessary. Server virtualization provides quicker recovery point objectives (RPO) and recovery time objectives (RT) that align with the business requirements.
2.7 Conclusions and Recommendations
Throughout this report we have contextually assessed the issues CUH is currently facing, evaluated the benefits and disadvantages that cloud storage may bring to the example and examined the major areas that will be enabled by cloud services such as cloud backup, storage and disaster recovery. After our in-depth analysis we recommend that CUH implement cloud computing in moving one or both of their staff and patient records databases to the cloud. It would be prudent to partition this implementation to not risk the loss of highly sensitive patient data. For example, the transfer of staff records first followed by patient records if successful. This would ensure a minimum risk of patient information loss and therefore avoid patient discomfort or protest.
If both staff and patient records databases to the cloud, certain parameters must be given comprehensive attention including the concept of privacy by design [15], organizational readiness, thorough evaluation of the service provider (including key areas in data governance), uploading highly sensitive data, determining the appropriate security wrap. [16]
As we have expanded on throughout this report, cloud computing offers a scalable, cost efficient and secure method of engaging with some of the pressing issues facing CUH that we identified by interviewing a member of staff in the dental hospital. However, adapting employees to change can be challenging and therefore an implementation structure is key, but with the robust cloud services options available today, we feel CUH should embrace this change and make their organization a more efficient, more secure and a better experience for all patients and staff.