Cloud Computing The coming storm

Bio Robert Fox - Data Architect, Arkansas Blue Cross Blue Shield 18 years of data architecture and warehousing experience in the finance, telecom, and health insurance industries. 

What is a cloud? Cloud computing: A way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses any subscription-based or pay-per-use service that, in real time over the Internet, extends IT's existing capabilities. [Information World] “Cloud” is a good name for this phenomena. A cloud is: You can’t reach out and touch them. They aren’t solid and they change shapes You can’t see what’s on the other side You can’t really tell, but you suspect they are pretty big There are different types, and no one seems to really know the difference between them Everyone talks about the weather, but no one can accurately predict what’s coming What is “cloud” in IT Cloud means virtualization. Giving you a “virtual” version of what you need, masking you from the details. Some analysts and vendors define cloud computing narrowly as an updated version of utility computing: basically virtual servers available over the Internet. Others go very broad, arguing anything you consume outside the firewall is "in the cloud," including conventional outsourcing. I think the best approach for this presentation would be to walk through several examples of cloud computing, to get everyone on the same page regarding the definition of the term, then we’ll spend some time talking about concerns, risks, what’s ready for prime time and what scenarios are not, and what you should be doing today to prepare the way for the coming cloud computing storm.

Cloud Hardware Example - SAN Local Disk Storage Storage Area Network Most of you should be familiar with SAN – Storage Area Networks. What you may not have been aware of is that SAN is a form of cloud computing. With SAN, you are replacing local server disk with “virtual disk” in an enterprise cloud within your network. or virtual disk in a public cloud. Of course, you can move your disk further than just across the datacenter. There are dozens of internet based virtual disk storage (dropbox, Google drive, Windows 8’s SkyDrive). These solutions are becoming so pervasive that they have almost replaced USB drives as the preferred personal storage media the way USB drives replaced floppy disks and CD’s. Your IT department needs to figure out how to enable secure, sanctioned employee access to information before data starts getting moved to all manner of unsanctioned cloud drives. Addressing “Shadow Cloud” Virtualizing the hardware results in moving more than just disk platters; it also relocates skill-set requirements. Gartner talks about moving from a technology paradigm (where you have to understand and worry about RAID levels, disk types, replication, backups, etc.) to a cloud paradigm (where you deal with service levels, performance, and data security). This is a great point. Moving your infrastructure to cloud computing doesn’t mean that all your problems go away. It means you’ve traded one problem for another. Trades are sometimes good, and they’re sometimes bad. As is always the case when you consider releasing control of some aspect of your infrastructure, you have to weigh the risks you are taking on when you give up control with the advantages of being able to focus your attention on your core business. If you can find a way to mitigate the risks and figure out how to reallocate your resources in a way that will give you more return on your investment, you may be in a place to make a wise trade.

Trends in Cloud Storage Solutions This picture shows Gartner’s take on what’s hot and what’s not in cloud storage solutions. This evaluations spans all industries, not just health insurance. In our industry, I would say that the cloud storage solutions that seem to be gaining traction are Cloud archiving/backup – secondary storage, faster access than tape. Very easy to add capacity as needed. (Mozy – advertizing on Pandora) Storage gateway/file sync and share – a means of accessing the same information from desktop, remote, and mobile platforms. Recovery as a service – next slide Compliance issues are very complicated, with very strict physical and logical access requirements, mandatory audits and more. Most cloud storage solutions are not compliant with these requirements today, but they are headed in that direction. If you can find a solution that meets your compliance requirements, this may indeed make much more sense than taking on all this risk yourself. Unfortunately, I don’t believe the cloud storage industry is there yet when it comes to HIPAA compliance. Big Data analytics – cloud solutions involve storing massive amounts of raw data in the cloud, small amounts of relevant data in more active storage (usually locally). In my mind, this is less a big data issue, and more of a secondary storage (hot warm cold) implementation. I think the case is easier to make when the amount of storage needed fluctuates widely, and the data is not subject to HIPAA compliance issues.

Cloud Hardware – Logical Servers Dedicated Servers The second example is another form of virtual hardware, a.k.a. “Utility Computing”. Basically, instead of dedicating a server to an app or environment, this implementation uses virtual hardware instead. This can be a single server that is simply further away than you realize, but more likely is a “slice” of a larger box that is masquerading as a smaller service. Some vendors use the term LPAR for this. The advantage of this virtual server configuration is that it allows the group maintaining the server farm to scale capacity up and down as needs grow and shrink. It is possible to have some dedicate more CPU and memory to some LPAR’s during business hours, and move that capacity to other LPAR’s after hours. This is quite common within the enterprise cloud within your data centers. But like cloud storage, cloud servers can also be implemented in the internet, beyond your firewall. There are the same concerns regarding security and access, service levels and operational costs, but there are cases where virtual servers may make sense, particularly for hosting web applications that need to interface with the world outside the firewall. Gartner claims the future will be a hybrid of legacy IT (dedicated local devices), enterprise clouds, and public clouds We mentioned Recovery as a Service (RaaS) on the previous slide – This is actually an interesting take on outsourced disaster recovery. RaaS implementes managed server and production data replication into the provider cloud, with recovery possible at the provider site or through the cloud when required.

Cloud Hardware – Grid Computing Grid Server Dedicated Server One last hardware example. I include this one because it is exactly the reverse of the last. Instead of one large server pretending to be dozens of small servers, this form of virtualization makes a bunch of smaller servers look like one large one. This is known as “federated servers,” or “grid computing.” The advantage of this is that you can scale capacity up with commodity servers to mimic high end, very expensive capacity. Done correctly, the environment scales nearly linearly, can be grown and shrunk dynamically, includes load balancing and hot swap of failing components. There are many other forms of virtual hardware. This is not just limited to disks and servers. There are even companies offering software defined networking – a virtual network that can be scaled up and down as the need demands. Datacenters used to be racks of dedicated servers. Today they are shifting to virtual servers, virtual disk farms, and virtual networks, able to scale capacity to meet demands. This capability exists in your data center today. Tomorrow, it may be moving out of your datacenter altogether. That trend has already begun.

Cloud Software – Virtual Applications Time Entry Sales Force Automation Members App Claims App Enterprise Service Bus (ESB) Cloud based applications include: Retail - Amazon/eBay Social Media - Facebook/Twitter/Instagram Banking – online banking (NetTeller) Productivity/HR – email (MS Outlook.com), time entry (Kronos), Webex, backup/archiving, Google Apps, Zoho Office Development platform A variation on this theme is Managed service providers, who expose hosted applications to IT, rather than the business. Such services include things like email virus scanning, email spam filters (i.e. Postini), and application monitoring. Availability/Reliability Issues: Outlook.com down 3 days due to a bug in software to sync smartphones and tablets with company email. Gmail crashed for five minutes Aug 17th Amazon.com down for an hour Aug 19th Web site http://www.downforeveryoneorjustme.com (isup.me) Claims Members Time Entry Sales Force Automation

Cloud Software – Software Services Demographics Vendor Claims App Exchange App Enterprise Service Bus (ESB) Cloud Software a.k.a. “Software as a Service (SaaS)” Creating Strategic Models for Cloud Service Consumption A recent Gartner survey revealed that an internal cloud services brokerage is emerging, whose job it is to improve the provisioning of cloud services for employees and external business partners. As organizations add more and more cloud providers to the mix, this role will become vital. In a true Services Oriented Architecture (SOA) with an enterprise service bus that handles the provisioning and security functionality, all your internal apps would ideally be decoupled, communicating with each other through web services, an enterprise cloud of virtual services. In that environment, it is relatively simple to include some services that are hosted in a public cloud outside the firewall. Other examples, USPS, Google Maps, Bloomberg, Credit Scoring

Cloud Resources – Services Temp Contractors Full Time Employees Outsourced Resources If you walk through our vender exhibition area, you will find a broad range of offerings, but they can be gernalized as falling into one or more of three categories: Hardware Software Services We’ve talked about cloud-based hardware and cloud-based software. Conceptually, it should not surprise you to find that “cloud computing” includes virtualized human resources as well. Call Centers Network Support Shredding Food Services Immigration

Cloud Solutions Can Reduce Expenses Care Wellness Expenses Profits Premiums Patients Payers Services Payments Providers Expenses Profits

Local vs. Cloud Solutions Local Solutions Complete solution under your control No risk introduced from “partners” Easily customizable Complete transparency Dedicated Equipment Performance No potential for “mixing” data with other clients Low cost after initial investment Scalable small or large company phased adoption Economical Through competition Through economies of scale (on demand) Shift from upfront capital investment to pay-as-you-go operational expense Lets you focus on your business Shared legal risk Portability - Disaster Recovery Cloud Services – practices and procedures are locked down – usually not the data center guys that leak the data. Usually they are in other areas, like sales, marketing, wanting to do the right thing but just not using the right methods to get their job done. Demand for cloud solutions growing in part because of acceleration in amount of data, need for cost containment, on demand fluctuations, ubiquitous endpoint access, increasingly mobile workforce. Regulatory Compliance issues Certifications Clarity of responsibilities Vendor Credibility Technology too new for vendor track records Dependability Technology immature, not always reliable Performanace Article in Wired discussing MemSQL decision to pull out of Amazon’s virtual servers, and bring that in house. Using the virtual servers was a low cost entry point, allowing them to scale up, but when they reached a relatively constant scale, they found that the ongoing pay-as-you-go cloud solution was costing them $324K per year. They could buy all the servers they needed for $120K, and pay for the investment in four months. There is an ongoing cost to in-house solutions, of course, but even with a plan of replacing the hardware every four years, that came out to only $67K/year, as opposed to the $324K cloud solution. CTO of California-based Tradesy left Amazon because the pure operational cost, once the hardware was purchased, was “between 70 and 100 times cheaper.” The same article quoted a customer on Rackspace, Amazon’s main competitor, as leaving that cloud solution for their own datacenter for performance reasons. Sharing resources with other companies means you are all competing for the same bandwidth. At this point, many cloud solutions are more geared toward companies with broadly fluctuating volume demand, and to companies looking for an interim solution to “ramp up” a project with low initial investment. This is not true for all cloud solutions, of course. The answer is never tha simple. But in general, if you are looking to the cloud for some general functionality you could easily perform in-house given the resources, then the operational cost is most likely going to be much lower doing it yourself, once you reach steady-state capacity. But there are some very specialized services that would be very difficult to bring in house. Acxiom offers demographics as a service. This service leverages not only Acxiom’s subject matter expertise, it also uses their dynamic, living database of the demographic details of every person in the country. That isn’t a service you are going to be able to duplicate in-house.

Security – HIPAA “Final Rule” HIPAA originated in 1996. It was updated this year (A.K.A. “HIPAA 2.0”). The updates go into effect yesterday - September 23rd. New documentation includes 1,358 occurrences of the term “Business Associate” - any entity with access to PII/PHI data other than the originator. HIPAA Final Rule defines the legal obligations of these Business Associates, including an agreement for them to sign. There are Legal and Financial obligations in both directions for failure to have your Business Associates sign the HIPAA Final Rule Business Associate Agreement (BAA). HIPAA 2.0 released January 17, 2013 HIPAA-compliant cloud computing is so much more than just signing a BAA.  It’s about an entire culture of compliance that’s verified by an independent audit based on HIPAA’s Audit Protocol and includes a Report on Compliance – every year.” Mike Klein [Co-CEO - Online Tech, Inc.] When it comes to Cloud vendors - the 800lb gorilla, of course, is Amazon Web Services. According to analyst firm Forrester, AWS has about 71% of the entire cloud market. Curiously absent from the BAA parade, a direct question about BAA’s appeared on Amazon’s AWS Forum earlier this year – along with a decidedly vague reply 3 weeks later. February 6 inquiry posted to AWS Forum: Amazon has previously taken the position that it is not required to sign BAA’s with companies that run HIPAA applications and/or permanently store PHI on AWS. The new HIPAA Omnibus rules appear to specifically call for cloud vendors to sign BAA’s with such companies. Has Amazon reconsidered its position on the Omnibus rules with regard to signing BAA’s? February 27 AWS response: AWS is aware of the new HIPAA omnibus rule published on January 17, 2013. We are in the process of considering the impact of that new rule to AWS. Which also raises questions about Apple’s iCloud. To this point – iCloud has been predominantly (if not exclusively) focused on all of us as consumers. As consumers – we’re all free to do anything we like with our own PHI, of course, no BAA required. That’s not necessarily the case for clinical iOS devices that use iCloud for any type of PHI data storage. I’m not aware of any iOS-based clinical devices that do – but this could well be the point at which Apple has to start making some legally binding commitments to our $3 trillion healthcare industry. Here are some highlights from the omnibus final rule healthcare providers and covered entities should be mindful of to ensure compliance by Sept. 23. 1. The final rule expands patient rights by allowing them to ask for a copy of their electronic medical record in electronic form. 2. Under the final rule, when patients pay out of pocket in full, they can instruct their provider to refrain from sharing information about their treatment with their health plan. 3. If a Medicare beneficiary requests a restriction on the disclosure of PHI to Medicare for a covered service and pays out of pocket for the service, the provider must also restrict the disclosure of PHI regarding the service to Medicare. 4. The final rule sets new limits on how information can be used and disclosed for marketing and fundraising purposes, and it prohibits the sale of an individuals' health information without their permission. 5. Penalties for noncompliance with the final rule are based on the level of negligence with a maximum penalty of $1.5 million per violation. 6. The breach notification final rule was amended with a requirement to determine the breach's "risk of compromise" rather than harm. "Compromise" was considered a more objective test than harm. Thus, breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates a low probability that the PHI has been compromised. 7. To determine whether there is a low probability that PHI has been compromised, the covered entity or business associate must conduct a risk assessment that considers at least each of the following factors: • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. • The unauthorized person who used the PHI or to whom the disclosure was made. • Whether the PHI was actually acquired or viewed. • The extent to which the risk to the PHI has been mitigated. 8. The final rule changed what incidents are exceptions to the definition of "breach." Before, an incident was an exception to the definition of breach if the PHI used or disclosed a limited data set that did not contain any birthdates or ZIP codes. Under the final rule, breaches of limited data sets — regardless of their content — must be handled like all other breaches of PHI. 9. Providers and covered entities still have a safe harbor, in which an unauthorized disclosure only rises to the level of a breach — thereby triggering notification requirements of the HITECH Act — if the PHI disclosed is "unsecured." 10. Unsecured PHI is PHI that is not rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of technology or methodology specified by the secretary through published guidance. 11. Requirements for methods of breach notification remain unchanged. That is, providers and covered entities most provide notice to individuals, the media (if breach affects more than 500 residents of a state or smaller jurisdiction) and HHS (if breach affects more than 500 individuals regardless of location). Business associates, or people or organizations that conduct business with the covered entity that involves the use or disclosure of individually identifiable health information, must also provide notice to covered entities no later than 60 days after the discovery of a breach of unsecured PHI. (Read more about breach notification rules.) 12. Covered entities' Notice of Privacy Practices forms need to inform patients that they will be notified if their PHI is subject to a breach. NPPs must also inform individuals that a covered entity may contact them to raise funds, and the individual has a right to opt out of receiving such communications. 13. Business associate agreements and policies and procedures must address the prohibition on the sale of patients' PHI without permission. 14. Covered entities must modify and implement policies and procedures that address the new limits on permissible uses of information for marketing and fundraising activities. 15. Covered entities' business associate agreements and policies and procedures must address the expanded rights of individuals to restrict disclosures of PHI. If you use a cloud service, it should be your Business Associate. If they refuse to sign a Business Associate Agreement, don’t use the cloud service.” David Holtzman, Information Privacy Division, Office for Civil Rights (Enforcement arm of Health and Human Services)

Recommendations Decide what problem you are trying to fix Compliance? Mobile Workforce? Scalability? Disaster Recovery? Expenses? Make enterprise decisions, not departmental ones. Adopt enterprise Services Oriented Architecture (SOA) Include the Business, IT, and Legal in the decision Buy value, not hype Enterprise decisions: The up-front cost of a local solution or an enterprise cloud solution is rarely an option at the departmental level. But pay as you go can get expensive quickly at the enterprise level. For the same reason that it’s cheaper to take a taxi than to buy a car for a single trip. But in an increasingly urban, connected world, with cheap, reliable mass transit and increasing cost of parking and insurance, it may make sense to give up car ownership in many cases. At this point, cloud solutions are more geared toward companies with broadly fluctuating volume demand, and to companies looking for an interim solution to “ramp up” a project with low initial investment. Cloud solution spending in 2013 up 10% over 2012 Large company (1000+ employees) projected to spend $2.8 million each in 2013 on cloud solutions. Small companies projected to average $486K each. SaaS investments growing from 8% to 13% in 2013. indications of a rapidly-growing, upwelling of Cloud purchase and use poised to surge across the business and IT landscape, far in excess of what we have experienced to this point. Unfortunately, the majority of user enterprises are only just beginning to understand and put into practice the increasingly loosely-coupled policies, capabilities and approaches required to effectively manage and govern Cloud use in ways that deliver predictable, reliable, and recurring business benefits over time. Given that most enterprises are built on IT and organizational architectures emphasizing tight coupling of technologies and groups, this suggests massive organizational and IT change will be required just within the next few years. Bruce Guptil, Saugatuck “Global Cloud Adoption, 2013”, www.information-management.com