Healthcare has traditionally been a late entrant in adopting new information technology innovation, and the Cloud is no exception. In terms of markets, the US has been a first mover in healthcare Cloud applications. The EU has spent a great deal of time and effort assessing its implications, above all on data privacy. Britain, however, may have taken the most significant steps to begin endorsing use of the Cloud in its healthcare system.
Cloud computing comprises platforms and applications (online operating systems, file and data sharing), as well as infrastructure (Web-based data storage and access). Service providers bill users on the basis of subscriptions or pay-as-you-go. The latter is a key incentive for growing interest in the Cloud, given that it allows businesses to reduce upfront investments and scale up on the basis of real requirements rather than anticipated ones. The Cloud’s use-based pricing model is also cost-effective for occasional spikes in demand (for example, clinical laboratories in flu seasons) rather than supporting redundant IT capacity through the rest of the year.
A utility in the making, the US in the lead
On the supply side, some Cloud computing vendors have developed their own end-to-end offerings. Others procure platforms and applications from third parties, and often outsource their infrastructure. This aggregation is again based on a heterogeneous mix of business models. Overall, the Cloud industry is clearly developing into a utility, like electricity, gas or water.
Healthcare Cloud computing has so far been principally a US phenomenon, driven by incentives and regulations for adopting electronic medical or health records. Topping the list here is ARRA (the American Recovery and Reinvestment Act) and HITECH (the Health Information Technology for Economic and Clinical Health Act), which mandate the adoption of electronic medical and health records. Alongside, regulations for switching over from ICD-9 to ICD-10 diagnostic codes also provide a window for hospitals and health practitioners to assess both the opportunities and challenges in Cloud computing.
The impact of such drivers in the US has been seen in some of the toughest fields of healthcare, and those differing most from generic industry applications for the Cloud – such as payroll processing, billing and cost accounting. Cloud vendors have successfully made headway in clinical applications such as laboratory– and radiology information systems (LIS and RIS) as well as picture information and archiving systems (PACS). In each of these, rapidly escalating volumes of data coupled to requirements for real-time access have strengthened the case for the Cloud at an especially opportune moment – just as federal funds have flowed in for implementing electronic records.
Europe’s key challenge is data privacy
On the other hand, one of the greatest challenges for ramping up the Cloud in Europe is the storage of data across borders, with yet-unclear ramifications on data privacy laws and regulations. Two of the most sensitive industries here are banking and healthcare.
Complicating matters further is the tendency of certain Cloud providers to refuse disclosing the location of data, and the complex, overlapping business model which anchors Cloud computing. As mentioned, many Cloud service providers insource/outsource to either application or storage vendors – posing a troubling and legally challenging question about ownership of the data.
This is where Europe has chosen to raise – and struggle – with some serious questions, which have dampened the uptake of Cloud computing. European Union Digital Agenda Commissioner Neelie Kroes insists that every EU citizen or company must be certain of two things: that their personal data is protected by a Cloud computing provider in compliance with EU rules, and that governments of countries hosting EU-origin data have adequate rules for data protection and privacy. The sensitivity of this issue recently threatened to derail progress on an EU Free Trade Agreement with India, which has the world’s biggest IT outsourcing industry.
However, the security and privacy aspects of the Cloud computing challenge goes further, to the US – a more important partner for the EU. In particular, serious differences on privacy between the two have discouraged European companies from using US-based Cloud vendors. One of the major problems here is the Patriot Act, which provides US security officials access to data on Europeans.
Similar roadblocks have occurred in the past, most notably on airline passenger data. However, Europe finally conceded to US demands in April 2012 – going all the way to accommodate not only European airlines but other carriers incorporated or storing data in the EU, and operating flights to or from the US. While questions about data privacy and security with regard to the Cloud run their course, the EU has clearly seen the risks of being left behind in the Cloud computing race.
The EU Commission and the Cloud
At the end of September 2012, the Commission published a Communication (an approach paper) about its Cloud computing strategy. Neelie Kroes, the EU Commissioner who had insisted about the overarching need for data security and privacy, argues that an EU-wide strategy on the Cloud will provide Member States with global “competitive advantage,” both due to the size of the European market and the trust created by a common approach. Indeed, her spokesperson Ryan Heath points out that the Cloud will permit “almost perfect tracking” of people on the Internet.
The EU Communication, titled ‘Unleashing the Potential of Cloud Computing in Europe’, estimated as much as 160 billion Euros a year in annual IT savings via the use of the Cloud, or about 300 Euros per person. In addition, it notes that an effective EU Cloud strategy could generate up to 2.5 million new jobs.
Nevertheless, the EU’s plans for the Cloud continue facing barriers, some of them major. Member States allocate different degrees of priority to privacy/security, and to the Cloud itself. Both have a high degree of significance for healthcare IT. Indeed, the status of healthcare as a follower rather than a first mover in IT innovations is underlined by the EU Communication, which has little specific to say about a potentially Cloud-hungry sector like healthcare, aside from making general references to its utility for e-Health.
To address the security issue, the EU Commission proposes that Cloud computing contracts specify the physical location of user data. A proposal for a Data Protection Directive, currently being debated in the European Parliament, requires information to be stored either in the European Economic Area (the EU plus Iceland, Liechtenstein and Norway) or in a country with ‘equivalent’ privacy laws. However, none of the clauses in the Directive specifically covers the Cloud – which by etymology entails borderlessness. To address this, the EU plans to work with the Paris-based OECD (Organization for Economic Cooperation and Development) to establish common Cloud standards, and with the World Trade Organization in Geneva to lay down rules for cross-border procurement of Cloud services.
A more vexing hurdle lies in Europe’s largest economy. Germany has regulations which prevent its companies from making use of the Cloud, according to Carl-Christian Buhr, an EU Commission expert. Indeed, German rules require companies to have physical control of their IT infrastructure.
Small steps and giant leaps
At the other side of the equation is Britain. Since early 2012, it has steadily built and promoted the use of G-Cloud, an onshore State-owned Cloud infrastructure for public authorities, with access to pre-approved vendors via a Portal known as Cloudstore. In spite of the absence of dominant Cloud vendors such as Amazon and Google, as well as resistance from purchasing managers used to dealing with traditional suppliers, Britain shows that taking a well-planned plunge into new technology frontiers can both yield benefits and contain risks. Here, healthcare is right up on the front lines.
In February 2013, the Care Quality Commission (CQC), which regulates over 40,000 British health organizations, revealed that its selection of G-Cloud (for a new open-source CMS) had been run in a dual process, alongside a tender to find a vendor of ‘traditional’ (non-Cloud) technology. The Cloud was, in fact, the Plan B option. However, CQC chose Cloud provider Ixis, abandoning a full commercial tender (Plan A), after Director Henry Vook gained confidence that their requirements would be met by G-Cloud.
Britain has also chosen incremental growth rather than a Big Bang, with procurement for G-Cloud run in 3-6 monthly intervals. This permits user feedback and requirements to be fine-tuned for subsequent rounds. In spite of spending so far of just GBP 4 million, “no-one can deny that the G-Cloud has been a huge step in the right direction”, notes the leading IT publication ‘Computerworld’.
On its part, aside from addressing security concerns and aligning regulatory frameworks, the EU clearly intends to step up efforts to encourage the Cloud. In January 2013, the EU Commission-supported SUCRE (SUpporting Cloud Research Exploitation) project delivered its interim audit on Cloud solutions for the healthcare sector. Although, as expected, commercial healthcare Cloud solutions are wholly dominated by North American vendors, SUCRE did identify and assess some significant research efforts in Europe. These include pan-EU Open Source Cloud projects (VISION Cloud, Midas, CELAR, neuGRID and KC Class) and Germany’s Stratosphere, as well as Tclouds (a proprietary R&D platform).
What, however, is clearly a cause for concern is the SUCRE finding that “adoption studies and case studies seem practically non-existent” in Europe. Its authors intend to provide at least one study to show the benefits of open source cloud computing in healthcare; their final report is due in 2014.