There are challenges moving your healthcare company to the cloud and they are not minor.
All too often the mantra is repeated “just move to the cloud there are no regulations preventing cloud adoption.” As much as I wish that this were true, it’s simply not the case. Regulations and restrictions don’t only originate from Federate statutes. State specific laws that govern use, dissemination, storage, and sharing of data have a significant role. If, and only if, those hurdles can be overcome can we then tackle all of the existing memorandums of understanding, memorandums of agreement, and business associate agreements between partners, agencies and companies with whom we do business. The list gets very complicated from here as we open the door and enter the realm of state and federal subsidies supporting public programs such as Medicaid and Medicare.
As the former Head of Information at Access Health CT, I was responsible for pioneering AHCT’s industry leading digital platform transforming consumerism and retail oriented services for the health insurance industry. This monumental accomplishment, was the result of amazing collaboration between teams at the state and federal levels to deliver a unified solution. ahCT Mobile has utilized these technologies to transform and evolve Health Insurance Exchanges to the next level by digitizing the business model to significantly enhance the consumer experience while streamlining the process for enrolling in benefits and buying health insurance.
Many people don’t know about the difficult up-hill journey, required to pull off a successfully migration to the cloud with mobile. I’m not talking about the technology. Although the technology is complex when dealing with multiple data centers and hundreds of servers – we’re talking about getting the required agreement to move forward. Allow me to share CIO insights on how the internal orchestration actually transpired and how major obstacles were overcome.
There were two major challenges which we’ll discuss, in addition to the approaches and solutions of how they were effectively managed.
Third-Party Involvement – most healthcare companies receive significant revenue from public healthcare systems reimbursement such as Medicaid and Medicare. The result is getting third-party buy-in is not optional, it’s mandatory.
The Challenge: Mandatory compliance is extremely difficult, or your company risks huge financial penalties and lost reimbursement typically 30-60% of total revenue. The National Health Expenditure (NHE) grew 3.6% to $2.9 trillion in 2013, or $9,255 per person, and accounted for 17.4% of Gross Domestic Product (GDP). Medicare spending grew 3.4% to $585.7 billion in 2013, or 20 percent of total NHE. Medicaid spending grew 6.1% to $449.4 billion in 2013, or 15 percent of total NHE. Private health insurance spending grew 2.8% to $961.7 billion in 2013, or 33 percent of total NHE. If 33% is from private health insurance spending, guess where the other 67% of the 2.9 trillion comes from? You guessed it public programs such as Medicaid, Medicaid, CHIP, CASH, TANF and others. Most healthcare companies depend heavily on revenue from State Medicaid (similar to Department of Social Services) and other pubic program reimbursements models. HIPAA is not only worry when it comes to corporate compliance to data protection.
The Solution: We didn’t take the quick way out. In order to deploy the mobile technology in a secondary data center (cloud provider), the team used a complete security solution including security identity managers, security access managers, integrated directory servers (identity and authentication stores), multi-factor authentication services, secure web services, security information event management, upload protection engines, state certified SSL certificates and 2048-bit encryption. Additionally, no consumer data was stored in the cloud, to meet Federal guidelines (at the time).
State and Federal Compliance – It’s easy to underestimate the paperwork required for change. When your organization is accountable for IRS Federal Tax Information (FTI) and state personal identifiable information you’re held to a higher standard.
The Challenge: Under estimating the commitment to compliance requires of your organization from processing appeals updates, filing security data, storage, and frequent updating of each vendor contract, is a rookie mistake. Probably the best parallel would be attempting to do anything at the Department of Motor Vehicles 10 years ago; most will remember the multiple trips for simple requests due to insufficient information on hand (of course none of which was previously requested to present until you were at the counter). This is very similar to the state and federal process for changing data or security procedures. Depending on the approach taken, this change alone could result in millions of additional projects costs (for seemingly simple changes).
There is a significant amount of quarterly filings requirements and updates whenever there is a security impact to the enterprise security footprint such as (not exhaustive): SPR – Safeguard Procedures Report, FTI – Access to Federal Tax Information Disclosure, IEA – Information Exchange Agreement, ATC – Authority to Connect, CMA – Computer Matching Agreement, Master and Associate, PIA – Privacy Impact Assessment, AISA – Associate Interconnection Agreement, MISA – Master Interconnection Agreement, SPP – System Security Plan, SAR – Security Assessment Report, ISRA – Information Security Risk Assessment, POA&M – Plan of Action and Milestones and dozens of Master Service Agreements with state agencies. Each agency of course has their own standard of acceptable data use; it’s a rare day when policies from any two of these agency’s align.
The Solution: First we engaged two amazing technology partners, and also leveraged the expertise of the IT department at the State of Connecticut. The solution was architected meticulously. All communication between the mobile application and mobile proxy servers in the state datacenter was over secured HTTPS. The proxy is also stateless and does not store any data locally in a database or on the file system. It also does not maintain any session state and it does not have a database or save information to the filesystem as all requests are processed in-memory (some technical elements intentionally omitted to protect the production application security framework, still in use today).
In order to incorporate stateless architecture and cloud based resources, your internal application architecture must evolve. Even after all the technology has been identified and the plan is in hand, success absolutely depends on world class team orchestration. It was extremely exciting to lead such a capable and determined cross functional team – delivering the first national mobile application to fully enroll in a health plan entirely on a mobile device – ahCT Mobile!
Hopefully, these examples help to provide clarity around the level of complexity for making changes that impact infrastructure and security triggering actions to either re-contract, re-submit, review or resign the existing technology landscape. Many of these documents range from 100 pages over 500 pages, capturing more detail than a human would ever want to record.
Cloud adoption when dealing with security at an enterprise and multi-agency level is much more than just compliance with HIPAA.
Roubini, N. (2014). Slow growth and short tails in 2014 (online image). Retrieved December 16, 2015, from http://www.livemint.com/Opinion/JB7UQUifbHmBTAgKzbCZlN/Slow-growth-and-short-tails-in-2014.html