Article

Healthcare IT is moving to the cloud—but what cloud model should you use?

By Simon Häger, Market Strategist at Sectra

In a previous article, we discussed how to build a business case for moving your healthcare IT system to a cloud-based environment. But there are many cloud models to choose from, and you must decide what model to use. The models differ considerably depending on whether they are private or public, but also in terms of the type of vendor that provides them, ranging from the big-tech companies to health IT companies and consultancy firms.

In this article, we explain the difference between the models, their pros and cons, and give you some guidance on how to maximize the benefits of using the cloud.

Understanding the different cloud models

In broad terms, cloud models can be divided into private and public clouds, with the hybrid cloud utilizing parts from both models. The US National Institute of Standards and Technology (NIST) has provided a well-adopted description of the various cloud models[1], which we have used as inspiration for the description below.

Public cloud

The cloud infrastructure of public clouds is made available to the general public and is owned by an organization selling cloud services. The cloud provider is responsible for both the cloud infrastructure and for the control of data and operations within the cloud. Public clouds can differ considerably depending on the vendor. The ‘true’ public clouds are mostly provided by the tech giants, such as Microsoft (Azure), Google and Amazon and have thousands of tenants. For electronic medical records (EMRs) and enterprise imaging systems, we see many of the health IT vendors also providing public clouds, although serving a much lower number of customers. In this article, we focus on these two groups – those provided by tech giants and those by health IT vendors – of public cloud alternatives.

Private cloud

The cloud infrastructure is operated only for one single organization. It may be managed by the organization itself or a third party and can exist both within the hospital or off-premise. The cloud provider is responsible for the infrastructure but not for the control of data. This cloud structure can be provided by a number of different vendors, ranging from individual IT companies to consultancy firms and the health IT providers. In this article we treat these as a single category due to their similarity.

Hybrid cloud

The hybrid cloud infrastructure is a composition of two or more clouds that remain unique entities but are integrated together, which enables data and application portability. This setup can offer benefits from both the private and public clouds, but also increases complexity due to several instances and multiple vendors that need to be orchestrated. One setup seen more frequently in medical imaging involves the system being installed in an on-premise or private cloud setting, while other applications, such as speech recognition or image analysis, are hosted in a public cloud environment.

Software as a Service (SaaS vs. cloud)

Operating in the cloud enables the healthcare provider to buy Software as a Service (SaaS). This means the capability for the hospital to use the vendor’s IT applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (for example web-based email) or a program interface. The vendor assumes far-reaching responsibility for both the IT and the hardware.

In the SaaS scenario, you do not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage or even individual application capabilities, except for limited user-specific application configuration settings. Simply put, SaaS takes the cloud one step further to expand the outsourcing of IT to also include the application layer.

Benefits of moving to the cloud

One of the main benefits of utilizing a cloud infrastructure is to achieve elasticity and resilience. The cloud provides a more cost-effective way to scale up your software and storage needs as volumes grow or shrink.

Letting a vendor provide software and hardware also means they are responsible for upgrades. This will provide you with access to the latest technology and functionality as it lies both in your and the vendor’s interest to continuously update components and software. This means that your organization will get faster and more easy access to the latest development, which in turn will increase productivity and security of your operations.

Security has become the core competence of many cloud vendors, which means that it is not necessary for you to maintain the full set of security knowledge inhouse. For some areas, you can rely on the vendor’s expertise. More frequent upgrades of firmware and software components, the vendor’s know-how, together with a multi-layered safety architecture provide better IT security than a regular on-premise environment at a general hospital.

Cloud services usually employ a “pay as you go” model, i.e. you only pay for what you use. The operational-based pricing structure, together with the inherent economies of scale, can offer a much more cost-efficient IT infrastructure and use of IT resources than a capital-heavy on-premise installation. The cloud makes it easier for you to scale your system for higher volumes and include more “ologies” and departments, it removes the need for a large initial investment, and makes it easier to match revenues with costs.

A standard-based cloud infrastructure reduces the risk of lock-in effects in comparison to an on-premise installation. Accordingly, you should ensure that the infrastructure is built on open source components and that files and images are saved in a standardized format, such as DICOM, XDS, S3, etc. This will facilitate a potential future vendor replacement, if needed.

Figure 1. The key benefits of utilizing the cloud.

A checklist for ‘true elasticity’ and ‘true resilience’

Superior elasticity and resilience are two of the main reasons for justifying the transition to the cloud. Irrespective of which cloud model you adopt, it is important that it can compete with the ‘true elasticity’ of the public clouds provided by the tech giants. These offer unlimited scalability in terms of both capacity and new services. Some factors to consider that ensure elasticity:

  • The infrastructure should be built on real cloud technology similar to what the big cloud vendors (e.g. Microsoft (Azure), Google and Amazon) are using.
  • The infrastructure should be built on scalable frameworks, such as OpenStack, S3, software-defined networking, server virtualization and virtualized storage. This will enable a future-proof ability to deploy and scale services on demand and on standard hardware, and allocating and de-allocating processing, storage and network resources automatically via APIs.

Resilience is another key component to ensure hardware failure can be handled without the need for service windows. ‘True resilience’ can be achieved through several different measures. A few of these are listed below:

  • Geo-redundancy with several geographically separated data center environments.
  • The environment contains multiple compute nodes on multiple dedicated physical servers, all hosted with a high degree of redundancy within each data center.
  • Highly scalable software-defined storage system. This means that the architecture is based on multi-copy redundancy of objects stored on clusters of servers with disk devices.
  • Geographically diverse connections between the data centers and the customer’s network. (I highly recommend reading the referenced text about network diversity, which explains why network redundancy is insufficient protection[2])
  • Continuous testing and monitoring of failover systems.

The pros and cons of public and private clouds

Let’s proceed by evaluating the pros and cons of the different cloud models. To reflect the alternatives today’s healthcare providers face, we have chosen to assess the private cloud, the public cloud offered by the tech giants, and the public clouds offered by health IT vendors.

Customization

Private clouds have a greater capability than public clouds for customizing both the software and hardware to suit specific applications and purposes. The increased flexibility can, in some cases, enable the private cloud provider to offer a lower overall cost by matching its infrastructure and business model to the applications and workflows you have in the organization. This customization can also increase performance of applications as well as security.

Public clouds are largely designed more for general purpose, with focus on reaching economies of scale, and normally do not allow any substantial customization. However, more niched public clouds, such as those provided by health IT vendors, have a greater possibility to offer customization for specific applications and workloads than the tech giants.

Public clouds usually offer a broader set of services. For general purpose applications, they can offer superior scalability, shorter implementation times, and lower cost. They are often globally available, which enables international health providers to use the same vendor and setup regardless of the country in which they operate.

Optimizing cost, performance and security comes down to finding a balance between scalability and the level of customization the vendor is willing to make. Since healthcare applications and workflows are rarely general in nature, some degree of customization is usually necessary.

Costs

By nature, public clouds share resources over a greater number of tenants and can thus achieve better economics of scale. Accordingly, they should theoretically be able to offer lower prices to their customers. But this is only valid if the cloud environment and the business model reflect your users’ pattern of use and workflow. For example, the public clouds provided by the tech giants usually charge a low fee to upload data, but multiple times more for downloading data. For use cases such as radiology, this becomes extremely expensive because of radiologists’ use pattern of fetching prior examinations, which requires data download. Private cloud providers—and, to some degree, public clouds provided by health IT vendors—have the advantage of being able to tailor their cloud environment and business model to suit the use pattern and use case of their customer. For example, they can customize the cloud environment to be optimized for a specific need without having to fulfil a general requirement, which results in a lower total cost.

Again, the level of customization becomes a contributing factor to how affordable the cloud model becomes for your organization. The increased flexibility in IT environment and business model can, for some use cases, trump economies of scale and provide a lower cost solution than the tech giants’ public clouds.

In an evaluation process, a hybrid cloud model can turn out to be the most affordable. In such a setup, the short-term storage and application layer would be handled within a private cloud environment that is designed with the running applications and use pattern in mind. The long-term (“cold”) storage would be kept within a public cloud environment. However, this arrangement creates a challenge for the healthcare provider since in requires the management of multiple clouds from perhaps multiple vendors.

Another cost aspect that needs to be taken into consideration is that private clouds usually have a higher startup cost than public clouds, as the infrastructure needs to be built from scratch.

In our calculations, we noticed that some public clouds became too expensive. There was a mismatch between the public cloud provider’s pricing model and the way we uploaded and downloaded data. Our radiologists upload a study once, but often need to look at it multiple times. My advice is to use a cloud with a suitable pricing model.

Radiology Manager at a Swedish hospital running its PACS in a public cloud

Security

Regarding the security aspect, there is still a lot of confusion, between both on-premise and cloud in general, and between public and private clouds.

Much comes down to the control of data—who will have access to the data, and who can get access to the data. The public cloud is, by definition, used by multiple tenants, whereas a private cloud is single tenant, and thereby a private cloud is a more isolated entity that gives you full control of the data. However, while the private cloud might be perceived as more secure, many security breaches are the result of poor configurations and mistakes that derive from within the hospital’s IT environment. Security is all about building multiple layers of security, an area in which many public cloud providers possess superior expertise.

You may also consider the impact of the US CLOUD Act[3] on the cloud provider you choose. It stipulates that US cloud providers, private and public, are required to disclose any data they keep, if so instructed by a US governmental agency.

As a healthcare provider, you need to understand the entire security infrastructure. The public cloud means more shared responsibility of security parameters. Some elements of security are typically provided by the cloud provider, while some are provided by third parties. This is in contrast to the private cloud provider, which generally has control over all security parameters in-house.

Another aspect to consider is that a public cloud means that you need to assume a greater responsibility for security. The public cloud provider does not normally offer the same level of support in configurations or in relation to performing customizations to suit the applications used. With a private cloud, and a public cloud provided by a health IT vendor, a higher level of assistance and customization can contribute to the development of a more secure environment.

Generally speaking, security is expensive. Economy of scale means that the larger the cloud you build, the more you can spend on security. Public clouds are generally larger than private clouds and hence more money is spent on and effort put into security. However, the majority of industry experts agree today that most cloud models are, on the whole, more secure than a general on-premise installation.

Implementation times

The time from decision until you can utilize the system and its applications is normally shorter with public clouds. Especially for those provided by the tech giants, since they offer a ‘plug and play’ approach. The private cloud is similar to an on-premise installation, where the vendor first needs to build the environment and make suitable customizations before you can start using the service.

On the upside, the implementation of a private cloud, and to some extent a public cloud provided by a health IT company, offers a flexibility to adjust the environment and setup to meet specific application demands and to resolve issues. This can result in a faster and less painful implementation.

Performance

The higher customization of private clouds and public clouds provided by health IT companies can, in many cases, offer higher application performance since they can be tailored to maximize performance for specific needs. This is something that is highly dependent on the type of applications that will run in the environment, and whether or not they are designed for a cloud environment. Although the private cloud can initially offer higher performance, this will not last for long given that the hardware and software in public clouds is continuously upgraded.

Redundancy and elasticity

Private clouds have the ability to spread workload over multiple servers but are limited by the amount of server space the cloud vendor owns or operates. The public cloud has a much greater capacity to scale out its servers should demand suddenly increase, for example, in connection with an acquisition of a new hospital.

Public clouds (both models) have the advantage of being able to offer higher redundancy and can thus generally guarantee higher uptimes. Hence, public cloud providers can offer better service level agreements (SLAs) that, if breached, may result in fines as regulated in the contract. For you as a health provider, this can serve as an insurance to cover any extra costs and lost revenue if the system is inaccessible for a period.

Figure 2. An assessment of how different cloud models compare with each other in respect to various evaluation criteria.

The role of the hybrid cloud in medical imaging

No cloud model is better than the other in all dimensions. To leverage the benefits of both public (provided by either health IT vendors or tech giants) and private clouds, the hybrid cloud model might be a suitable alternative. By combining models, you can take advantage of the private cloud’s higher degree of customization, ensure high-performance applications and suitable business model, while leveraging the public cloud’s superior elasticity and redundancy.

In combination, a hybrid model will outperform the best private and public cloud. For example, the public cloud could work as a database for research and training data for AI. In this case, the public cloud’s pay-for-use model becomes especially beneficial as the data needed might only be temporary.

What it all comes down to

Healthcare providers are adopting the cloud for their IT systems to a much greater degree now than just a few years ago. This article has hopefully given you some guidance on which cloud model—private or public—and vendor to choose for your organization.

There is no cloud model that is better than the other in all dimensions. But whatever model you choose, it is important to know its strengths and limitations. Moving forward, we will most likely see an increase in the adoption of hybrid clouds enabling you to take advantage of the benefits of both the private and the public cloud. Who doesn’t want the best of two worlds, really?

 

References

  1. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
  2. https://www.inap.com/blog/network-redundancy-vs-network-diversity/ Quote: “Being geographically diverse protects you from weather events, construction and other single location incidents”
  3. https://www.congress.gov/bill/115th-congress/house-bill/4943
Apr 21, 2020Author: Simon Häger, Market Strategist at Sectra

Related reading
Security in RFPs in healthcare IT
Articles | Enterprise imaging | Breast imaging | Cardiology imaging | Digital pathology | Enterprise platform | Orthopaedics | Radiology imaging | Share and collaborate
Browse all resources

Related products

Browse all products