Like many industries, the healthcare sector continues to transition its massive amounts of data to the public cloud in order to both protect personal health information and to utilize emerging cloud technologies to better personalize healthcare.
To learn more about how patient-centered technologies are being used to extend care beyond the four walls of hospitals and doctors’ offices, ShareVault CEO Richard Andersen recently sat down with Matt Ferrari, the Chief Technology Officer at ClearDATA to discuss how the cloud can be used to protect, securely manage, and fully automate many healthcare applications, data and IT infrastructure.
ClearDATA was conceived and designed to serve the critical system needs and regulatory requirements of healthcare organizations. Their founders drew upon their own experience in the healthcare IT and cloud computing industries to create a robust, secure, reliable, and HIPAA-compliant cloud computing solution for healthcare. Five years ago, Matt came to ClearDATA with a passion for growing the security, compliance and privacy market for healthcare in order to improve patient outcomes.
Richard Andersen: Healthcare is a broad sector with diverse challenges and needs. What is it that ClearDATA tries to address?
Matt Ferrari: When we look at our customers, we try to decipher what their challenges are and what keeps them up at night. What we find is that healthcare organizations are usually struggling in a couple of ways. They’re struggling with securing data while trying to innovate and they’re struggling with how that innovation happens. They’re employing technology in an attempt to deliver patient care faster and more efficiently, and they don’t want to log into a dozen different systems in order to do that. What ClearDATA provides is a way to unify those systems in order to deliver a better patient, nurse, doctor, practitioner experience in a secure fashion without putting data and patient lives at risk. We do that by focusing on security and compliance.
Secondly, we focus on how that innovation happens. If an organization focuses on staffing in order to innovate faster it’s going to be expensive and inefficient. That expense is then transferred to the provider or the payer serving the patient. What we do is focus on building technology that automates security and compliance in order to streamline those processes and systems that serve healthcare patients and customers.
RA: Is automating systems and processes something organizations are already pursuing or is it somewhat of a revelation for them when they realize that’s something ClearDATA can provide?
MF: It’s both. About 50% of my time is focusing on educating the healthcare market regarding emerging technology and how it can help to improve patient care. In many cases, those aren’t even customers, but rather people or analysts in the space doing research about cloud transformation and trying to understand the security ramifications, the benefits and the total cost of ownership. Often, my conversations begin with a client looking at automation for a specific use case, such as streamlining a clinical trial and then that evolves into seeing broader benefits.
In the life science and pharmaceutical space there are standards for Good Scientific Practices (GSP) in order to ensure that products are safe and meet the intended use. That means that there needs to be traceability and the ability to reconstruct the development history and all the data. Organizations need to be able to show that the drug was created, or the trial was run, the same way on the first day as it was on the hundredth day. So often, clients arrive at ClearDATA wanting to automate a single process but quickly realize that automation can also provide the rigor around security and compliance that enables them to meet required standards.
RA: The big cloud providers like Amazon, Google and Microsoft are offering a lot of innovative capabilities. Are they similar enough or are they different enough so that you have to evaluate which one is the right fit for a given set of prospective needs or are healthcare organizations using more than one?
MF: That’s an interesting question. The truth is, the pace of innovation for those public clouds is phenomenal and I have a hard time keeping up. We’re beginning to see some healthcare providers diversify their service providers and treating them just as they would any other vendor. They might use one provider for production and another for something else. And, there are more to choose from every day. Two years ago at Amazon’s big show re:Invent there were about seven to nine BAA eligible services. Last year there were about thirty. As of right now, there are over sixty. My guess is that at this year’s show at the end of November there will be even more.
One of the key things that healthcare and life science organizations need to keep in mind is that not every public cloud service is HIPAA eligible or BAA covered. Just because a service exists doesn’t mean that you can lawfully use it to store or transmit PHI or PII. But healthcare organizations are beginning to diversify their public cloud service providers because some fit their specific needs better than others. I would say most are still only using one, but that is rapidly changing.
RA: Are there any other trends you’re seeing in terms of the cloud and what’s available now that companies should be thinking about?
MF: One of the most exciting things I see is the trend for organizations to adopt SaaS solutions. For decades, healthcare facilities, whether provider, payer or pharmaceutical, have been buying traditional IP hardware and software. As they embraced the cloud they were originally looking at it in terms of shifts. How do I move my giant population of health and EHR applications into the cloud in shifts? But that’s not the way to optimize. Patient care wouldn’t get better; it would actually get more expensive. But now healthcare and life science organizations are starting to open their eyes and adopt these born-in-the-cloud solutions that already have security, compliance, privacy and automation built into them. Those are some of my favorite customers because they’re really focused on bringing a very innovative product to a laggard industry.
RA: What about machine learning and artificial intelligence?
MF: All three of the public cloud providers are investing heavily in machine learning. Microsoft was the pioneer with Cortana. The benefit is that you don’t have to be a programmer or a developer to use machine learning. It’s almost drag and drop. Aside from speed and time to market and seeing results faster machine learning also reduces the need for talent. A lot of healthcare organizations simply can’t hire the number of programmers they need. Machine learning also reduces the need for infrastructure, much of which sits idle a lot of the time.
I know of a company that developed a product that evaluates oncology scans. Rather than taking the traditional eight to 12 doctors required to determine what the patient’s therapy will look like, what drugs they should take, what the chemo plan will look like, they instead are using machine learning so the tumor can be evaluated using data that includes trends, demographics, geography, eating habits, etc. and it can produce a diagnosis that is much more accurate because it has all that big data behind it. I think the day is not far off when patients will not trust a diagnosis unless it’s first been evaluated by artificial intelligence.
RA: What about encryption and backup? Are you seeing more of those kinds of tools available?
MF: Historically, the problem with backup in healthcare has been twofold. First was the ability to validate that it was always working. Second was the issue of expiration. The cost of storage and backup isn’t cheap. Even in the cloud the cost of doing a restore is significant. There are also challenges of knowing you’re getting the right data set.
There are now some technologies which are cloud native that have intelligent backup or snapshot capability and can determine what type of data is inside that snapshot or inside that backup without having to do a restore. The reason that is exciting, other than cost savings, is that you can expire specific patient records based on how long HIPAA requires you to keep them. For example, the amount of time my daughter’s patient record is required to be kept at the hospital is very different from the amount of time they have to keep my patient record at the hospital. Today, it’s all backed up to the same devices for the same amount of time. Most healthcare organizations actually keep it forever because that’s simpler than figuring out the alternative. We’re getting to the point now where we can use snapshot technology to get a quicker backup, reduce costs and expire data that doesn’t need to be retained.
RA: When you think about healthcare provider endpoints—doctor offices, chiropractors, dentist offices—what would you say is the state of compliance with regard to HIPAA?
MF: What I see can be a bit scary. The challenge that most of these healthcare providers face is that they don’t have a compliance officer. They’re small and they’re busy helping patients. Also, regulations are constantly changing. So, they need guidance. They need guidelines for encrypting backups and keeping them offsite. Very few people do that. Most small doctors’ offices do their backups onsite. Also, they don’t understand the difference between encryption at rest and encryption in transit. It’s very unfortunate but it’s a difficult balance between serving patients and the need to always secure data.
The good news is that when we work with providers and help them understand that they may be missing something that information is almost always received with open arms. They don’t want the alternative of a security incident, or worse, a legal declaration of breach.
RA: What would be your one best practice suggestion for companies wanting to be more secure?
MF: The first step is always to do an evaluation. There are lots of service providers that offer free assessments to evaluate your current environment and to identify risks. That includes both cloud and non-cloud environments. These security risk assessments will include penetration testing and vulnerability scanning in order to get a read on the organization’s current climate. Start with a professional evaluation, so that you’re not trying to solve a problem before you know what the problem is.
ShareVault partners with ClearDATA to deliver the 24x7x365 cloud provisioned and managed ShareVault platform. Through this relationship, ShareVault customers benefit from the wide array of security, monitoring, and scaling capabilities in which ClearDATA excels.
To learn more about ClearDATA, access https://www.cleardata.com/
Richard Andersen is the founder and CEO of ShareVault. He has an MBA from the University of California at Berkeley and has worked for companies such as Apple, eBay, Ernst & Young and MarketFirst. He brings an entrepreneurial mindset to everything he does and is passionate about creating strategic partnerships.