When transitioning to or maintaining its place in the cloud, your organization’s success and security depend on 3 critical components:
- A solid understanding of what you own
- Documented processes and controls
- The right people
Without these components, you’re less likely to realize the valuable potential of the cloud. Even more importantly, your organization could be opened to serious cybersecurity, compliance and other risk (see Cloud Computing: Recognizing and Managing Risk).
Organization leaders make daily determinations about deploying resources — people, capital and assets. As organizations advance through the era of big data, shifting to digital in every possible area, many decisions involve IT investments. In the long run, migrating IT operations to the cloud can save on capital and operating costs, and enable greater focus on the core mission of delivering exceptional service such as quality patient care.
But even as the cloud’s benefits are acknowledged, adoption is still relatively slow. Some IT departments continue to invest scarce health system resources, time and money in maintaining and supporting aging IT infrastructure. It is up to CFOs to challenge their organization’s IT status quo, asking pertinent questions and securing informed answers.
To do so thoughtfully, a CFO partners with IT and operations for their expertise and execution as aids in business decision-making.
Close collaboration with the CIO is essential throughout the process, starting with inventory applications, functionality, and internal and external resources. With the CIO driving infrastructure, data protection and cybersecurity, it is up to the CFO to gain either the assurance of a solid base for your cloud activity or the commitment to make necessary changes, and confirmation of risk mitigation procedures.
The CFO starts with three main questions:
With the CIO driving infrastructure, data protection and cybersecurity, the CFO asks the questions that will gain either the assurance of a solid base for your cloud activity or the commitment to make necessary changes, and confirmation of risk mitigation procedures.
What software applications do we own, are they well-utilized, and where are they?
Which applications provide data for our key reports, and do they deliver the data accurately?
Have we vetted our vendors and business associates, and do we have a defined third-party compliance program?
1. What software applications do we own, are they well-utilized, and where are they?
For health care leaders, critical data includes protected health information (PHI), personally identifiable information (PII) and/or payment card industry (PCI).One valuable storage location is a centralized configuration management database (CMDB), a fundamental database of applications, with tracking of specific applications. Creating and maintaining a CMDB are necessary but not easy tasks to accomplish or internally align. IT assets and applications might be purchased throughout the organization; critical data could be found in biomedical engineering, IT, informatics and most clinical areas. Part of the ongoing CMDB effort should be requiring that IT be apprised of every software purchase and the data being generated or collected. When populated, this repository becomes a means to understand the composition of critical assets such as information systems, and their upstream sources or dependencies and downstream targets.
The first step is to uncover what your organization actually owns. If software purchases can be made independent of IT oversight, there could be a tangle of applications and data storage. Ask these questions initially and whenever someone comes to your office with a request to invest in more technology or applications: Are we maximizing important functionality? Can we move key applications to a managed service or cloud-based application? Are departments required to consult IT when considering new technology? Pointed questions are meant to reveal information about what your organization owns, and the storage location of critical data.
Require IT staff to focus on transparency and partnerships with their customers to ensure they know what is needed to support the mission. When this becomes standard practice, resources currently managing IT servers and storage — traditional commoditized services that can be migrated to the cloud — can begin to work on related workflows. This will allow your organization to drive deep adoption and teaming with business, finance and clinical groups.
2. Which applications provide data for our key reports, and do they deliver the data accurately?
It would not be surprising to most managers, directors, vice presidents and executives that multiple reports are utilized to manage day-to-day operations. Generally, data is collected in a spreadsheet, scrubbed, changed and updated before being passed on to leaders to aid in decision-making. To assure meaningful data is delivered to these decision-makers, get confirmation that all critical reports, dashboards and other solutions are inventoried. With a complete universe of reports, you can then explore the sources of supporting data.
Hospital leadership provides a vital service to patients by building cybersecurity into organizational culture and choosing appropriate personnel to lead cloud activities (see Prevention and Triage Apply in Hospital Cybersecurity)
If your organization is starting or in the middle of a system upgrade or replacement of its enterprise resource planning, revenue cycle or clinical electronic medical records, identify a lead data architect to answer these follow-up questions:
Who owns the data once it’s in the cloud?
What reports and/or new interfaces need to be written to update essential reports?
What is our data governance and management strategy?
Should we use enterprise data warehousing to manage this data?
3. Have we vetted our vendors and business associates, and do we have a defined third-party compliance program?
As markets continue to evolve, compliance requirements that govern advances in technology, digitization and sharing of data will not lag far behind. To manage the volumes of data, many organizations will come to an agreement with third-party vendors even before moving to the cloud. They’ll have realized that the time has passed for organizing and conducting clinical care through only the resources within the organization's four walls.behind. To manage the volumes of data, many organizations will come to an agreement with third-party vendors even before moving to the cloud. They’ll have realized that the time has passed for organizing and conducting clinical care through only the resources within the organization's four walls.
When reviewing compliance programs and related business associate agreements (see Monitor Business Associates to Help Prevent Breaches) for your health care organization, confirm that patient privacy and data security are at the top of the list.
Find out how vendors are chosen, and verify documentation of security checks of those maintaining your critical systems. Depending on the size of your organization, the vendor population could be somewhere between one and 1,500. Monitoring and managing these vendors can be daunting, but implementing a risk-ranking methodology is practical and identifies those that manage critical data and those that do not. Risk ranking can be done by several means, including with use of the security risk assessment tool provided by the U.S. Department of Health & Human Services. Conducting risk assessments helps health care organizations uncover weaknesses and vulnerabilities to help guard patient data, prevent security events and comply with HIPAA. As challenging as this might sound, dealing with a data breach of a third-party vendor and being unaware of the data their systems hold could cost an enormous amount of time, money and resources to resolve, not to mention reputational damage. As challenging as this might sound, dealing with a data breach of a third-party vendor and being unaware of the data their systems hold could cost an enormous amount of time, money and resources to resolve, not to mention reputational damage.
All organizations sharing data with third-party vendors should have a formal compliance program in place. An efficient, solutions-oriented organization is vigilant in making information both available and protected.
Manage answers and resources to lead through organization into the future
Making the decision to employ or expand in the cloud begins with understanding what your organization owns and how it’s used; establishing inventories, processes and agreements; and assuring that the right people are in place. Fulfilling your mission relies on your informed management of these on-the-ground activities.