There’s also a growing concern over who’s running the cloud infrastructure on which healthcare organizations are moving their data. It’s primarily tech giants like Amazon, Google and Microsoft Corp. that have been embroiled in controversy over data privacy—or lack thereof—in the consumer world.
“Healthcare systems have hundreds and hundreds of business associate agreements, and they don’t always disclose—or typically don’t disclose—who those vendors are,” said West Monroe’s Seyb. “But when you talk about the Amazons and the Googles of the world, it certainly has a different feel, from a patient standpoint.”
That tension came to a head last fall, when details emerged about a partnership between Ascension and Google, drawing public concern over patient privacy and sparking a federal probe. The St. Louis-based hospital giant and Google have said that their work, which includes a contract to move Ascension’s patient data to Google Cloud, complies with HIPAA, as Google signed a business associate agreement. A move to the cloud will help Ascension manage large datasets “needed to improve and consistently deliver high-quality care for our patients,” a system spokesperson wrote in an emailed statement.
“The data resident in that cloud environment is controlled, managed and audited by Ascension,” the spokesperson wrote. “In this secure environment, we are developing applications (our own and those co-developed with technology partners) that are customized to support the delivery of high-quality care.”
The partnership captured the attention of lawmakers, too. Last week Sens. Elizabeth Warren (D-Mass.), Richard Blumenthal (D-Conn.) and Bill Cassidy (R-La.) pushed Ascension to share more details, after deeming a reply to an initial inquiry from Google inadequate.
Setting up strong boundaries on what a cloud vendor is able to see—and, for data the vendor can access, clearly outlining what that information can be used for—is a fundamental first step when partnering with a cloud vendor, said Nate Ulery, managing director in West Monroe’s technology practice.
For Legacy Health, that meant setting up a “rigorous contract” with Microsoft to delineate what the company could access, before migrating applications to the Microsoft Azure cloud computing service, Kenagy said. “They see the servers,” Kenagy said of Microsoft. “They can’t see or copy the data.”
Healthcare organizations should also think about whether to share information about their cloud deals with patients, and if so, how to educate patients about the agreement. That’s something Mayo prioritized when striking its contract with Google, according to Ross.
“We’ve tried to be very public about our relationship with Google,” which the system announced in September, Ross said. “We wanted to be clear with our patients and others what we were doing.”
Google isn’t Mayo’s only cloud vendor; Ross said the organization will continue to work with companies like Microsoft and IBM, too. For Ross, cloud computing is just the next phase of innovating with data—at Mayo, that traces back more than a hundred years to when the system rolled out its first standardized medical record, albeit a paper-based one.
“When they invented that record form in 1907, they anticipated that the data would not just be used to treat that patient, but we would also extract insights out of that data that would help us advance healthcare,” Ross said. “Here we are, 113 years later, and we’re doing the same thing—it’s just that we’re doing it at a much larger scale with a lot more data.”