Skip to main content

Cloud Technology Overturns IT Assumptions

 |  By smace@healthleadersmedia.com  
   November 27, 2012

I'm here to say that healthcare should be thankful it has come late to part of the technology party.

Why? Because healthcare doesn't have to play by the so-called rules that existed a few years ago. Healthcare can challenge the assumptions that drove decisions a short while ago and take advantage of cloud computing technology that overturns the conventional wisdom—and price structure—of IT services.

Want an example? Recently, I spoke to QualSight, a healthcare provider you probably haven't heard of, even though it serves more than 75 million health plan members.

Chicago-based QualSight launched eight years ago to connect independent ophthalmologists to healthcare plan sponsors to provide their members laser vision correction services. Today, the ophthalmologists operating out of 800 locations let QualSight boast of being the nation's largest Lasik services manager.

Surprise number one: The main third-party vendor QualSight uses to process credit cards for payments is PayPal, the eBay subsidiary.

That's right, PayPal is big business now.

Like others who deal with credit card information, PayPal requires QualSight to comply with the Payment Card Industry (PCI) standard. With 800 practices, QualSight could have implemented its own virtual private network (VPN). But instead, QualSight is using a cloud-based, HIPAA-compliant VPN and database server to securely serve transactions through the cloud. Instead of going with the usual Oracle or MySQL database, QualSight uses open-source PostgreSQL.

The key to making all this work, apparently, is to find just the right cloud hosting vendor, which in QualSight's case is FireHost. "We've been with FireHost for probably a year and a half by now, and I've been very happy," says Carlos Navarro, manager of IT at QualSight.

In January 2010, QualSight was running its own instance of the database from its offices. Such on-premise operation is another assumption of many healthcare providers today.

Then came the hackers.

"Nobody was here in the office," Navarro says. "There was an attempt to hack us from China. We determined that later, there were 15,000 attempts, and they successfully did penetrate. However, no damage was done."

[Editor's note: The hacking attempts did not actually penetrate or compromise QualSight's network in any way.]

The intrusion made QualSight consider the possibility of perhaps its database elsewhere.

Before the evaluation was complete, fate intervened one more time. A major power outage in Chicago took QualSight's services offline for six hours.

"We lost a lot of data, and at this point, the company decided we need to select a cloud vendor very quickly," Navarro says.

FireHost's security stood out. Navarro hasn't regretted the decision.

"The applications ... are shared between 800 practices, and most of the information that they're entering is completely HIPAA," he says. "We're talking about patients. We're talking about patient social security numbers. We're talking about outcomes of surgeries. We're talking information that's very delicate."

The switch over to the cloud was accomplished in a single weekend. "There were some changes that were required on our end, programming changes, just to make it compatible, but we did this over a weekend, so the practices never noticed anything," Navarro says.

Like other providers I've talked to about the cloud, Navarro takes solace in the kind of penetration testing that a cloud provider such as FireHost can attempt on a monthly basis—testing that a healthcare provider can hardly claim as a core competency. "This is all part of the service," he says.

The average healthcare executive can be forgiven for forgetting that the software powering today's systems is a patchwork quilt of updates, security fixes, and bug workarounds. The CIOs reading this, however, know all too well that it becomes less practical every day for this cost to be shouldered entirely by your average hospital or healthcare provider.

Remember this when you're watching IT assumptions from the past decade crash and burn all around us: Every organization that's switched to the cloud seems to have its own version of the hackers-from-China story or the power outage story.

Remember this when you have to hire outside consultants to test your firewall's open ports, and then wonder how long it's been since the last test. Three months? Six months? Would your auditors be happy? Is not doing this testing often enough meeting the spirit and letter of the HIPAA law?

A lot of CIOs tell me they don't like the lack of transparency of cloud services. There's a reason they call it the cloud. What goes on inside there is, well, cloudy.

That doesn't dissuade Navarro. "I am not sure about all the details inside that makes the cloud tick," he says. "We get a report on a daily basis ... where we can see at any time and go historically back, I think three months or so, any intrusions or attempts of intrusions, which is phenomenal. We can see our backups. We can see reports on our vulnerability tests. We can see basically any information, anything that's eventually protecting our data."

Cloud vendors have to be very, very good at managing and applying all these fixes, or they'll be out of business in a real hurry.

Maybe, in a few years, this wheel will turn again and the pendulum will swing away from hosted applications. But I doubt it. Cloud technology just makes sense. Obviously, your mileage may vary. But as long as the cloud vendors say what they mean and mean what they say, the cloud will proliferate.

Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.

Tagged Under:


Get the latest on healthcare leadership in your inbox.