On premise vs. cloud healthcare data storage: Which is better?
As hospitals system collect increasing amounts of data, there has been a lot of attention focused on where to store it. Traditionally, institutions have maintained their own centers, but amid exponential growth, they are looking for other options rather than pouring resources into constantly expanding and maintaining in-house server farms. Cloud data storage has become a major trend in healthcare IT, but there are questions hospitals should be asking if they are debating between cloud or on-premise storage
Josh Gluck, Pure Storage vice president of global vertical alliances and solutions, and a professor of health policy and management at NYU Wagner, believes hospitals need to do more homework when it comes to which solution is best for them. He spoke with Radiology Business at the Healthcare Information Management Systems Society (HIMSS) 2023 meeting.
"We have seen other organizations say they want to get out of the data center business because their board is telling them they do healthcare, they don't do data centers," Gluck explained.
He said organizations have struggled to determine which data-storage strategy best fits their needs. Changing health systems priorities also mean it may make more sense to send the data to the cloud today. But tomorrow, as priorities shift, organizations may need to keep data on-site or move it to remote-hosting by a service provider.
"From a trend prospective, what we are seeing is a lot of organizations wanting to do things differently, but struggling with what that means to them," Gluck said. "And this is often because the reasons are not clear for why they want to get out of the data center business."
Defining the reasons why is important for everyone's understanding. He said this can outline clear goals that should be achieved with a move to the cloud.
Outsourcing data storage can save physical space required to house servers, reduce costs to buy more server hardware, cut air-conditioning and electrical costs, and enable hospital IT teams to focus on supporting care teams.
Gluck said defining goals helps IT teams rationalize which workloads and data should reside in the cloud, and what data needs to remain on premise.
"What we have also seen is when they don't necessarily have the business driver correct; they underestimate what it is going to take to make that possible," Gluck explained.
For example, some organizations may want to leverage the cloud to boost cybersecurity, with many cloud providers offering 24/7/365 coverage by dedicated security IT teams. But it sometimes can make matters worse if hospitals do not understand their due diligence duties. There is sometimes a false sense of security in transitioning to the cloud, Gluck said. In the end, the healthcare organization still needs to attest HIPAA compliance of its data at that third-party center, so it extends out the HIPAA verification and concerns beyond the health systems campus.
"Organizations really need to rethink how they do things when they move workloads to the cloud. When cloud began to become a buzzword a few years ago, organizations would say 'I am moving to the cloud because it is easier, faster and cheaper for me.' But what they learned along the way is that the costs are not always less. The experience is different and it can be better, but it takes completely different staff and skill sets to manage those workloads in the same mission-critical space, compared to when it was on-prem," Gluck said.
How are hospital systems using the cloud?
Gluck said most healthcare organizations are using a mix of on-premise and cloud storage. Only a small number of organizations have taken their primary workloads completely into the cloud.
He said these hospitals have been much more thoughtful about what effort is required. Often, they are making the move to cloud to reduce risks, not to save costs. "When you do it to reduce risks, its means you are going to be more thoughtful about the mechanisms that are needed."
From his company's prospective, they feel it is important to have the same user experience whether workflow is provided by an on-premise data center or in the cloud. Gluck said the end-user should have no idea which they are using. But that requires training IT staff in how to manage data in whichever cloud is used, such as AWS, Azure or others, all with differing workflows.
For primary workloads that are moved to all-cloud, Gluck said enterprise imaging is one of the primary drivers. This allows all radiology, cardiology, pathology and other images from departments across the hospital system to store and retrieve image data from one location.
Some health systems also want to host their electronic health record in the cloud. Since Epic has emerged as the biggest EHR vendor, many cloud storage vendors want to work with the tech giant to make sure the operation of that system is seamless with their technology.
Key questions hospitals should be asking before speaking with data storage vendors
Gluck suggested organizations perform their due diligence before talking to vendors that have clearly defined goals. That is what really determines if a move to the cloud is successful or not. These questions might include:
What is a workflow connected to? If merging a specific department workflow into the cloud, such as a radiology PACS, you need to understand what is connected to the workflow. This usually includes a radiology information system, but also requires access to patient history and other information stored on the EHR. Access to prior exams in the archives is needed, along with previous lab results, to make a diagnosis or answer clinical questions. Radiology often has different viewers, may have legacy PACS or other reporting systems with which it still needs to establish connections. Some hospitals also link prior imaging with patient access portals, or there may be remote viewing systems for referrers to access images and reports.
"So, it is not just the primary workflow, but how it integrates with the rest of the things they need to deliver care," Gluck said.
What is the application rationalization? This includes: What is the workload, what does it talk to, who uses it, how do they use it, what are the business drivers for a continuity plan, what are the requirements for a system to be up or not up, and what needs to be done when the system does go down? This often requires health systems to use a third-party consulting firm to help them figure this out, Gluck said.
"The organizations that are really successful are the ones that are very thoughtful and asking the right questions to reduce the risk. But it means they have to do something different than what they are doing today. When they control physician access to the data in their own data center, they have firewalls, intrusion prevention, and software to look for anomalies in the network. It is easy to do that within your own four walls. But if you now take five business-critical workloads and put one in Azure, one in AWS and one with a remote hosting company, you have to extend all those facilities out to the endpoints. Some organizations have a false sense of security because they did not do the work they need to do to extend their program out to cover workloads in these areas," Gluck said.