The attractiveness of the economy of scale of cloud services has drawn many health system CIO’s attention for some time when looking at medical image storage. Now that Enterprise Image Archives are coming, CIO interest in the cloud has increased as has the number of companies offering cloud services to healthcare. When considering the cloud, it is important to look at the risks associated with the cloud and take measures to mitigate these risks.
Security concerns about the cloud have prevented many healthcare organizations from signing up, and the new HIPAA rules make security an even bigger issue. Moving to the cloud can also mean giving up control of the image data since it is on someone else’s hardware. Service outages are another issue to be aware of and retrieving the data upon termination of the service can be problematic as well. Current users of the cloud have run into all of these problems. Healthcare providers can take advantage of their experiences.
All cloud services experience outages, and often Service Level Agreements(SLA’s) are carefully written to exclude specific portions of the hardware and software to limit their liability. In the first 3 months of 2013, Microsoft, Google, and Amazon, all of which offer major cloud storage services, had significant outages.
Microsoft’s Azure cloud storage service went down for 12 hours in February, 2013. The Google Drive cloud storage was down for 17 hours in March, 2013. Amazon Web Services was down for almost an hour in January, 2013. In December, 2012 the Amazon service was down for 24 hours. In total, Amazon had 4 multi-hour outages in 2012.
In most cases, all the data affected in these outages was recovered. Although recovered, the data was often unavailable for sometime after the outage.
Reasons for the outages vary. Often the outage is due to an update of hardware or software in the network or servers that went awry. Hardware failures also occur as data centers are pushed to ever increasing power densities.
Users of the cloud service for data storage need to have contingency plans for outages. The cloud service services offer redundant storage options, including storage in multiple data centers or availability zones. Not only do these options come at an additional cost, they are not fail safe either. Sometimes the switch over to the other center either takes some time to occur or doesn’t happen at all.
Losing control of one’s data can lead to losing the data as well. Millions of users of Megaupload’s file sharing service found this out in January, 2012 when the FBI shutdown the Megaupload web site and seized the servers leased by Megaupload from a cloud hosting service in Virginia.
The servers were seized and the site shut down due to copyright violations involving music and movies stored on the servers. The fact that millions of files were legitimate did not matter, since they were commingled with the pirated files and could not be separated out.
As the case meandered through the justice system, the files remained frozen. The Dutch hosting service for Megaupload had never received a request to save the data. Thus, in February 2013, the Dutch hosting service decided to re-provision 630 servers and deleted all the Megaupload data.
In the United States, the Department of Justice established a process for users to regain their data. It was so onerous and lengthy that few users were able to recover their data. As of October 2013, the hosting service in the US was told that the files were no longer needed and could be destroyed. However, the data could not be returned to its legitimate owners, even though an independent analysis demonstrated that the majority of the files were not pirated.
The Megaupload users learned that putting data into the cloud means losing control of the data. They had no control or knowledge of where it was physically stored or what other data was on the same servers. In the end, they no longer even had access to the data.
Amazon, Microsoft, and other major cloud service companies develop and control their own data centers for their cloud services. In addition, to maintain growth and handle spikes in demand, Amazon, Microsoft, and other companies lease additional capacity from other hosting services. The ultimate owner of the hardware has the most control of the data and it is important to know who this is. The practice of leasing has implications for HIPAA compliance as well.
Two of the motivating factors behind the development of the Internet by ARPA were to have a decentralized network and to enable resource sharing. Any two servers on the network could connect over multiple paths as opposed to a single, fixed point connection. Any attack that took out one path would not disrupt the communication.
As data and services move to large cloud services, the Internet is being decentralized. One of the effects of this centralization is that there are fewer points of failure and one cloud service having an outage can bring down dozens of web services.
The cloud presents fewer and richer targets for hackers. In March 2013, Evernote was hacked, and the user names, emails, and encrypted passwords of all the users were accessed. In 2012, Dropbox, a file sharing and backup was similarly hacked. One of the more extreme examples, was in 2011, when Sony’s PlayStation Network had 77 million accounts compromised.
For healthcare providers considering the cloud for medial image storage, the new HIPAA rules, enforced as of September 23, 2013, make security an even greater concern. The healthcare provider and the HIPAA Business Associate are both responsible if the Business Associate fails an audit or commits a breach. Over 20% of the reported data breaches since 2009 have been caused by Business Associates.
In addition, providers are responsible for ensuring that any subcontractors a HIPAA Business Associate uses are also compliant. Thus, the cloud vendor’s data center must have a risk assessment and be able to pass a HIPAA security audit and so should any hosting service that the cloud vendor employs. As part of investigating cloud storage, healthcare providers need to know the locations of all data centers employed, the company owning the servers, the company operating the servers, and examine the security risk analysis done by each entity.
The security risk analysis must be kept current. This means that any change in the systems storing or transferring the images by the cloud vendor or its subcontractors and their subcontractors requires an update to the to the security risk analysis for any changes in risks.
There are data migration implications in the cloud just as anywhere else. Someday one may wish to change services or leave the cloud or as happened recently, the cloud could leave you.
Nirvanix was the cloud hosting company behind IBM’s SmartCloud Storage service, among other services. In mid September 2013, Nirvanix told its customers that due to a failed funding round, Nirvanix would be closing by the end of the month and customers should migrate their data in two weeks. IBM was not commenting and Aorta Cloud, another large company using the Nirvanix service, announced that it had contingency plans for its clients but could not help other large Nirvanix customers.
Nirvanix ended up staying open until October 15th. Nirvanix partnered with IBM, CoreSite, and HP to get the data out and offered customers the option of either returning their data or transitioning to another service such as Amazon, Microsoft, or Google. No official notice was given on how long the partners could keep the Nirvanix servers up and data transfer going.
The more common need for data migration is to change services or move to a different storage paradigm. A common practice is for the user to transfer all the data prior to terminating the service. Downloads are charged per gigabyte transferred. To speed up the process, some cloud services offer to bypass the Internet by either transferring to a portable storage device or offering a high speed direct connection, at additional charges.
A cloud user’s data may be deleted immediately upon termination of the services. It is important to recover all data prior to termination, and it is equally essential to have the data format, transfer method, and time frame agreed upon in the SLA. There have been reports of data being returned encrypted on media that required special hardware to read.
With 1 Gbps and 10 Gbps networks common in healthcare systems, accessing images over the Internet will not be as fast as accessing images over the internal network. A PACS system getting a prior exam from the local cache may take a few seconds. Getting the same exam from the cloud is dependent on the provider’s connection to the Internet and how much of the bandwidth is available, that is how may other applications are accessing the Internet at that time. It also depends on the Internet latency which is a function of the path the data takes. The same exam could take minutes to transfer instead of seconds.
Amazon Web Services offers a direct connection to the cloud that bypasses the Internet. Options are available up to 10 Gbps at a per hour connect cost and a per GB transfer cost. Even with the direct connection, the exam transfer will still be slower from the cloud than on site, depending on what format conversions are necessary in the cloud servers.
A business continuity plan should be in place to assure that images required for priors or for use in procedures are available during a cloud outage. This plan may include increasing the size of the onsite image cache. To determine the size of the cache, each discipline using the images must determine how long image access is absolutely essential. For radiology it may be a period of years while for wound care, it may be a period of months. The size of cache should also consider performance issues. That is, how old can the data be such that each discipline can afford to wait for the images to be retrieved and how long can they wait.
To protect against data loss, a disaster recovery system should be in place. This could employ a different cloud vendor but one should be careful to know that the two could vendors are not sharing same hosting service. A better approach may be to use a data center that is off site and under control of the health system. The disaster recovery system may be planned to avoid issues associated with data migration, should one decide to change cloud vendors or if the cloud leaves you suddenly.
Security issues will require the provider to carefully vet the cloud service and negotiate theSLA. The cloud service needs to be HIPAA compliant with the HIPAA regulations as they are now – not as the HIPAA regs used to be. Ask the cloud service how often they update their security analysis and if the answer is based upon the calendar, e.g., once a year, there is a major problem. At this point the healthcare provider needs to assess how much time they can spend in educating the cloud service and/or if the provider should be considering alternatives.
The process for notification of breaches needs to be carefully spelled out in the SLA. The healthcare provider is responsible for notifying patients within 60 days and needs time to do so. This may mean that the cloud service needs to notify the healthcare provider within 10 days.
Once all these measures are planned, the costs and risks associated with archiving medical images in the cloud may be reconsidered. It may not be as inexpensive as first thought. Contingency plans and well written SLAs are a must.
The worst cloud outages of 2013 (so far)
Cloud Computing – Outages: Analysis of Key Outages 2009-2012
The Most Recent Amazon Outage Exposes the Dark Side of the Cloud
Amazon Cloud Outage Kos Reddit, Foursquare & Others
More than 10 million legal files snared in Megaupload shutdown
LeaseWeb explains why it deleted Kim Dotcom’s MegaUpload data
The Dark Side of the Cloud: IBM Partner Gives Fold Two Weeks to Move Data
Nirvanix Shut-Down Sends Shockwaves through the Cloud Services Industry