Boston healthcare organization CIO and longtime technology standards leader John Halamka has been quite open over the years about his organization's technology efforts and challenges. Back in 2002 he shared his hospital's 3-day struggle with network slowdowns. Last Year, the Beth Israel Deaconess Medical Center CIO sounded the alarm that an FDA warning about a compromised medical device wouldn't be the last.
This week, Halamka revealed in his "Life as a Healthcare CIO" blog that he's prepping for a big move to the public cloud from a 250 in-house server setup, prompted in part by an upcoming lease expiration on the building housing BIDMC's primary data center.
BIDMC isn't entirely new to the cloud. In an email exchange, Halamka told Network World that the organization has moved "supportive systems," such as educational resources and web hosting to the cloud, but now is getting ready to move critical business systems to the cloud.
"We've gone from cloud-hosting the periphery to cloud-hosting the core," he wrote.
In doing so, BIDMC isn't overlooking the technology (IaaS vs. PaaS, etc.), security (get an independent audit and don't overlook application-level protection) and legal concerns, the last of which includes indemnification for costs related to a breach.
Of all of these, the legal concerns are the most difficult to resolve. Many customers will ask cloud vendors for an indemnification clause without a cap - the vendor must cover all costs associated with a breach including third party law suits. No cloud vendor will sign an agreement without a cap. What is the current benchmark? The Cloud Council offered this white paper which suggests a cap of 12 months of fees is typical.
Halamka recommends pushing beyond that to a 3-year cap. Costs can pile up in the wake of something like a breach, from notifying customers to call center expenses. Cyber-liability insurance is something to consider, he adds.
In an interview last fall with CIO.com, Halamka said a key change in recent years has been the willingness of the big cloud service providers like Amazon Web Services, Google and Microsoft to sign business associate agreements that require them to submit to audits and adhere to privacy and other standards.
The CIO in his blog post this week lays out milestones for the next two years as BIDMC makes its way further into the cloud. It should be interesting to get Halamka's insights along the way.