Cutting through the Fog of Cloud Computing

August 18, 2010
Marion K. Jenkins, PhD

,
Randall E. Scott, BS, CS

MDNG Pediatrics, June 2010, Volume 8, Issue 2

More than one technology pundit has claimed that desktop software and computing that relies on local servers is on life support, soon to be replaced by an Internet-based approach that relies on a "cloud" of applications and virtual resources that are delivered over the Web via your browser. Are proponents who want to apply this concept to EMRs correct when they say that this is the future of health IT, or do they have their head in the clouds?

Cloud computing—along with its close technology cousins, SaaS (Software-asa-Service) and ASP (Application Service Provider)—is all the rage. It seems like every healthcare software vendor is throwing around these buzzwords, as if they are the Holy Grail of healthcare technology. Typically, the advantages touted include the following:

• Eliminate all local computer software

• Reduce the risk of hardware and/or network outages

• Lower cost of installation and maintenance

• Easily scale to virtually unlimited computing horsepower and storage capacity

• No headaches of ownership

While all of those advantages are technically somewhat true, most of them are an oversimplification, and there are also significant risks and disadvantages associated with this technology.

Cloud computing has applicability in many, but certainly not all, business and technology settings. And for many healthcare organizations and physician practices, it’s the wrong solution.

What is SaaS/cloud computing?

It is IT outsourcing on steroids, and in many ways, it is merely a new name for technology that has been around for a long time. Back in the dot-com boom in the late ‘90s, there were many technology hosting companies that developed service offerings, and they coined the name Application Service Providers—or ASPs. But it goes back even further, to the early days of mainframe computers, where large companies like Boeing Computer Services and Computer Science Corporation had the means and resources to build large-scale computer centers, and smaller companies would purchase blocks of CPU time and other services. This was known as time sharing (not to be confused with vacation properties); so cloud computing is not really new.

What are the risks and disadvantages of SaaS/ cloud computing?

Higher overall cost

When faced with the one-time costs of a new server/ storage/networking platform, a smaller, pay-as-you-go monthly number might look appealing to a medical practice considering an EMR or new practice management system. But while cloud computing may offer users the advantage of quick start-up, some have found that investing in your own IT platform is a better value in the long term. Depending on your level of use, you can typically hit a break-even point between nine and 18 months; beyond that time frame, the monthly costs of the SaaS/Cloud model can be much higher. And even after paying the monthly fee for 24 months, you still don’t own anything and have to keep paying every month.

If monthly cashflow is an issue, a three-year, lease-to-own model provides roughly the same monthly payment amounts, and when the lease ends the payments also end, and you own the equipment free and clear for another 1-2 years of its useful life. Over time, investing in your own equipment costs far less—provided there are no major issues with the equipment.

There are still significant technology risks

In fact, in some ways SaaS/cloud computing risks are greater than having your own equipment. For example, with a typical client/server setup in your own office or clinic, if you lose your Internet connection you can still work, although you may lose some functionality. With SaaS/cloud, what happens if you lose your Internet connection? Are you able to save your work on a local hard drive if power is lost, then upload to the cloud when it is restored? This is the type of question you need to ask a provider if you’re considering going the cloud route.

Speed and connectivity

That round blue cable in your clinic is called Ethernet, and it runs at 100 Megabits per second (Mbps). A T1 circuit, which is a fairly standard broadband Internet connection, runs at only 1.5 Mbps, or only 1/60th of that speed. Plus everyone in the office must share the T1, whereas every workstation gets 100 Mbps on your local Ethernet network. So the response time for your SaaS application may be very slow. This is particularly critical for EMR, PACS, and digital images, where a single patient study can easily be 100 Megabytes. The SaaS provider may show you fast response, but that is a demo. And they may tell you of the many happy clients who are using their service today, but since SaaS is relatively new, in our experience we’ve found that most of those customers are not fully using their applications across their whole clinic, and probably don’t have many years worth of business and clinical data loaded into the system yet.

Where is your data?

When you ask this question of the provider, they might glibly reply that it’s “in the cloud.” Well, what, exactly, does that mean? They all say they have it secured in some kind of Fort Knox-type data center somewhere, but we have seen many of those so-called data centers, and some are just glorified offices with computers and other gear lying around literally on the floor. And what happens when you want to get your data back, either at the end of your contract, or earlier? Are you comfortable with not only putting your trust in the service provider’s software, but also irreversibly linking your vital business and clinical operations—and giving all your data—over to them? If not, this is something that needs to be ironed out before you agree to anything.

On top of that, you’re trusting not only your SaaS/Cloud provider, but also its choice of hardware and implementation vendors as well. Recently there was a case of a large national cloud provider losing the data of approximately 7,500 customers (http://hcp.lv/ce66GS). The company sued its hardware storage vendor and its IT implementation vendor. But that did not do anything to get their clients’ data back. Is your data really safe? What if someone at your Cloud/SaaS provider —or an outside hacker—decides to get the data and sell it or use it inappropriately? There have been stories of internal IT staff stealing client data from an online service provider, and external hackers breaking into large corporate databases (4.2 Million Credit Card Numbers Stolen From Supermarket Chain; http://hcp.lv/csLgJ6,and Heartland Data Breach Could Leave100 Million Accounts Exposed; http://hcp.lv/b7cEto). What’s to prevent that from happening to your data? No company can totally prevent data loss or theft, but by putting your data with your provider, you are assuming they are taking all the necessary steps to keep your data safe. Before you commit to a SaaS/Cloud service provider, you should investigate everything possible about their operations; obtain detailed information about the company’s security system, including how often tests are conducted.

You can only get the software that your provider gives you, and on their release/rollout schedule.

All software has updates and new releases. When you control your own IT destiny, you can decide when—and even if— you want to migrate to a new software release or do a technology upgrade. If someone else is providing IT as a service, you only get what they offer you, and the schedule is based on their timeframe. We know many clients who have developed their own report and interfaces based on a certain software platform (SQL Server 2005, for example). They had invested a lot of time and energy, and they did not want to automatically upgrade to SQL 2008 when it first came out, because their reports and interfaces would not work with SQL 2008. If they had been using a SaaS provider, they would have had no choice.

When there is an outage, where do you stand as far as restoration is concerned?

If you share an IT platform that is also used by United Airlines, the city of Los Angeles and Pfizer, who is the service provider going to get back up and running first? You may be much lower on the pecking order than you think. There may be service level agreements (SLAs) that give you some future credits for outages, but that doesn’t do much to help your with the operational costs of the outage and its impact on your clinic. And these outages are more common and more widespread than you might think. Some of the largest SaaS/Cloud providers have suffered multiple major outages, including Google’s Gmail (Gmail Outage Marks Sixth Downtime in Eight Months; http://hcp.lv/blj4nL) andBlackBerry (BlackBerry Outage Not Winning Any Fans for RIM; http://hcp.lv/b3H3F3).

You May Already Be Using Cloud Computing!

These services, which you might already be using, take advantage of cloud computing:

Google Docs (http://docs.google.com): create and share your work online.

Practice Fusion (www.practicefusion.com): free, Web-based EHR.

Gmail (http://mail.google.com): So, Google has quite a grasp on the cloud computing

market. Gmail allows for less spam, mobile access, and virtually endless storage.

Snapfish (www.snapfish.com),

Picasa (http://picasa.google.com), and

Flickr (www.flickr.com): store and share your photos using these services.

You are not only completely locked into your service provider’s software, but to its infrastructure as well.

In essence, you have put both your software and your hardware “eggs” in one basket. Your SaaS/cloud provider may tell you that you can cancel if you want to down the road, but keep in mind that your provider knows, that they have your data and that you have no internal IT infrastructure. Therefore, they know you are pretty much totally dependent on them and can’t move your technology services without a major headache and even more downtime.

Not all SaaS/cloud companies have the resources of Amazon, Google, and Microsoft

They may not own/manage their own IT infrastructure platforms, opting instead to rent space, power and access in another company’s data center. If this is the case with the provider you choose, you aren’t just dependent on the vendor, you may also unknowingly be dependent on their hosting provider. Be sure to demand transparency with a Saas/cloud company, covering all the bases in terms of whether it manages the data and where the data center is located.

Opening up your network to your SaaS/Cloud provider may provide a gateway for them to access other information on or within your network.

When Google first released their free desktop search tool, which is a type of cloud application, there were concerns from many IT security experts that Google would be able to “see” everything on your hard drives. And there have been other applications that have raised similar security concerns. (Google, Microsoft Online Apps Raise Security Questions; http://hcp.lv/b7dVgF).

So is this virtual, on-demand IT model all bad?

Cloud computing has good applicability in certain situations, such as when your business largely consists of a virtual workforce, where you do not have a centralized office. In this case, locating IT infrastructure at the “central” office would not work, since there is not a centralized office. This is not the case in a typical healthcare setting, where patients come to a physical office and the transaction is largely done face-to-face.

If you have thoroughly researched the service offering(s) of the provider and they offer exactly what you want and need for your business, then a cloud-based system may be right for you, if you are comfortable:

• Sharing your vital business and clinical data with them;

• Building your business and clinical processes around their offerings and services;

• Relying on them to provide your desired services—both software and hardware—for years to come

Other situations in which SaaS/cloud computing may be a good fit include:

• You only need a set of generic applications that are generally not considered that mission- or business-critical, such as instant messaging, webmail, blogging, etc. In fact all common Web applications are essentially “on-demand” applications, so the use of SaaS/Cloud Computing is already widespread. However, a small number of organizations, including Beth Israel Deaconess Medical Center in Boston, MA, have begun using cloud computing to enable physicians throughout the system to access to electronic patient records (http://hcp.lv/9F9kyB).

• The business and clinical model comprises a largely federated data structure, such as with a health information exchange. In this case, data is shared among and between many disparate entities, none of which is really the controlling entity. In this case it is necessary to have a neutral repository for the data.

• A practice with a lack of capital, poor cash flow and/or inability to access credit. However, you are going to have to fill out a business credit application, so chances are if you can qualify for the SaaS/Cloud monthly payment terms, you could also qualify for a lease.

• You want to expense everything possible, and do not want to have capital expenses and/or carry capital assets on your books.

• You need to conserve your capital for expansion or other investment. However, here again a leasing model can provide the same capital preservation advantages.

In summary, cloud computing has some advantages in certain situations, but most healthcare settings do not fit the model. Cloud/SaaS computing takes IT outsourcing to an extreme level, and represents a potentially irreversible 3-5 year decision. In addition, there are many disadvantages, and each application needs to be examined carefully. There is definitely no one-size “cloud” that fits all situations.

Marion K. Jenkins, PhD, and Randall E. Scott, BS, CS, are co-founders and CEO and CTO, respectively, of QSE Technologies, which provides IT consulting and implementation services for medical facilities

nationwide. Learn more about QSE Technologies at www.qsetech.com.