Since the eruption of cloud infrastructure providers such as Amazon, Google, Microsoft, and other regional competitors, the case for migrating out of proprietary data centers has grown in both size and strength. Most industries have almost entirely migrated to the cloud and now one of the most regulated industries, healthcare, is starting to take advantage of recent developments.
What is driving this migration and what are the benefits and risks of the public cloud in the context of the health industry?
The main contribution of the cloud or Software as a Service (SaaS), to the Health Industry is the reduction of the Total Cost of Ownership (TCO) for their users. To understand that statement we will decompose the issue in two categories:
1. Capital Expenditure
From the CapEx, let's start by considering the physical variables that play differently in on-premises and cloud environments.
The most obvious factor affected by the decision of outsourcing a capacity is the required infrastructure. It's perhaps the most visible aspect of them all.
Projected Growth and Peaks
When establishing a new capability, it's necessary to purchase hardware not only for the current requirements, but also to cover the expected peak loads and short or medium-term growth. Therefore, the infrastructure will be bigger than actually required today. If the aspect of depreciation and the "lock in time effect" is also included (the company cannot take advantage of advances and improvements in technology, until the depreciation is accounted in full and new equipment can be re-purchased), it's quite obvious how expensive it could be.
Business Continuity (BC) and Disaster Recovery (DR) is another requirement that will affect the capital to be invested. To achieve BC, it's required to have no single point of failure, which means that it is required to duplicate some equipment and design in such a way that all single points of failure are removed. This redundancy implies that some investment is not going to actively produce any impact in performance, since it's there only as a backup. If the BC/DR requirements are strong enough (as they should be in the Health Industry) that goes not only for networking and computing but also for Power Supply, Cooling, Geographical locations and ISPs. In a Cloud deployment all those factors become variable, allowing the user to adjust "as they go". Therefore, it's not required to scale the provided infrastructure to account for peaks, growth, or provide extra redundancy in geographical locations, etc. All of that is taken care of by the Cloud Service Partner (CSP which is the technical name for the Cloud Provider) and all the inherent complexity and cost is removed away.
Design, Architecture and Security
On top of the hard factors of CapEx outlined above, it's also required to consider the soft factors. These considerations are less obvious and visible, but certainly more expensive than the previous ones. While Security is always an important topic, it is paramount in the Health Industry. Security Frameworks for the Health Industry currently require "Security by Default and by Design" and therefore security can't be an afterthought. It cannot be added "on top" but has to be part of the Design, built in the infrastructure, including the networking, computational devices, applications, logging, monitoring, etc. and all the way through the implementation including processes and usage of the system by their consumers. And that's just one of many requirements emanating from different frameworks (HIPAA, GDPR, etc.) with hefty fines "up to 4% of annual global turnover or €20 Million (whichever is greater)". To achieve such quality standards, let alone certify the ones that are certifiable, it's requires a lot of investment and training, not only for the users but also for the designers, implementers and supporters of the system, in a variety of topics such as encryption, networking, OS hardening, application security, authentication and authorization frameworks, intrusion detection and prevention, vulnerability scans, etc. Again, in a cloud environment, and especially when a Cloud Service Partner is providing the service (CSN is the technical name for the specialist partner providing the actual service), most of that complexity and cost is taken care of by the third parties (both the CSP and the CSN). Those Security Frameworks allow for mechanisms to delegate tasks and, more importantly, responsibilities. The only remaining concern for the Consumer is to follow standard procedures and guidelines in user and access management, etc.
2. Operating Expenditure
Once the project is released, it doesn't mean the TCO is finished. If it's deployed in-premises, it's required to assign the corresponding OpEx budget to support and maintain the infrastructure.
Maintenance, Monitoring, Support
Repairs, replacements, monitoring, alerting, on-call engineers, upgrades/updates, are surely to be required and therefore must be accounted for.
But it is not only the infrastructure, bear also in mind that Security is an evolving landscape. All those security frameworks are updated and improved as new threats and vulnerabilities are discovered and exploited by potential attackers. Therefore, it's required to consider security not only in the design and implementation phases, but it will also require Maintenance and Updates/Upgrades. The Cloud Service Partner (CSN) takes care of almost all of those costs, being able to provide a much higher quality service for a fraction of the costs since it's acquiring the experience and spreading the load among a wider base (design, architecture and support is standardized among a number of customers, which reduces costs for each one of them).
In conclusion, choosing a cloud or SaaS option will provide concrete and immediate benefits to healthcare organizations, since it will significantly reduce the Total Cost of Ownership by:
- Reducing the Capital Expenditure close to zero
- Making the Operating Expenditure variable and keeping it always at the minimum necessary (no need to buffer for peaks, growth, BC/DR, etc.)
- Outsourcing the overall costs in training, updates, upgrades, monitoring, alerting and on-call, to a third party that will charge only a fraction of it.
So, the future of computing is in the cloud, and it is especially important for healthcare organizations to explore the benefits and risks of the public cloud to help reduce TCO. To learn more about migrating out of a proprietary data center to the public cloud read this white paper, Migrating to the cloud for the Health Industry.