Nov 20 2023

Hybrid Cloud in Healthcare: Tips for Management and Security

Healthcare organizations must consider factors such as governance and connecting essential applications when adopting a hybrid cloud architecture.

Although many healthcare organizations were slow to make the move, migrating to the cloud brings the benefits of agility, resiliency and performance to healthcare organizations. However, the cloud also comes with several challenges, including how to manage security and governance.

A hybrid cloud mixes on-premises infrastructure, private cloud services and a public cloud such as Amazon Web Services, Google Cloud or Microsoft Azure.

Some healthcare organizations use a multicloud approach for multiple needs. For example, they may use Azure for office work, IBM Cloud for back-office tasks and Google Cloud for artificial intelligence, says Rohit Badlaney, general manager for cloud industry platforms and solutions at IBM.

Using multiple clouds can bring cost savings because of the business model of renting out server space, explains John Moore III, managing partner at Chilmark Research.

“[Health systems] are paying for processing time in a lot of these cloud contracts that they are entering into,” he says.

When thinking about whether to move to a cloud platform, consider the total cost of ownership. Some cloud providers supply a TCO calculator to help calculate these costs.

Click below to learn how to optimize healthcare’s connection to the hybrid cloud.

The Benefits of Hybrid Cloud for Healthcare

An on-premises infrastructure works well for critical care and collecting immediate feedback from ICU patients, while video-heavy telehealth and electronic health record platforms reside in the cloud, says Moore.

Moore says remote patient monitoring is a type of application that could work well in a hybrid cloud with continuous data feeds coming from onsite data sources. Unless an alert has triggered a critical need for an on-premises connection, the continuous data monitoring can be offloaded to a cloud provider, he says.

“You should spawn that off onto a cloud provider that can update continuously and add additional compute power,” he says.

Optimizing Cloud Connections with a Unified Approach

A key challenge for healthcare organizations is how to unify a hybrid cloud on-premises and off-premises and establish central management. Badlaney recommends a joint data and application architecture rather than having applications and data in separate places. Without optimizing connections to the cloud, healthcare organizations experience latency and increased downtime.

“You usually hit a latency issue when you have a part of an application sitting somewhere and the data is sitting somewhere else,” Badlaney says. “I see clients making joint data architecture and application architecture decisions so that the end-to-end application is optimized.”

Critical systems with data processed in real time may remain on-premises while healthcare organizations take advantage of the cloud’s flexible computer power without the physical limitations of a server farm, Moore says. Organizations can handle an additional load to a network that arises in an emergency. A hybrid cloud allows a hospital to react to a natural disaster or power outage if a local data center goes down.

“You can just scale up your resources as you need and then scale them back down, so that’s definitely a big benefit to the cloud,” Moore says.

DISCOVER: How healthcare can optimize cloud connectivity.

Hybrid Cloud Security and Reliability Is Important for Healthcare

Organizations should ensure that their application estate is sound from an architectural perspective. That means “transforming and driving workload migrations and modernizations based on the correct hybrid cloud landing zones,” Badlaney says.

Landing zones — compute, storage and network profiles for running applications — are a key part of hybrid cloud security because they correspond to performance security profiles. Types of landing zones include VMware running on an x86 server, RedHat’s OpenShift running containers, an IBM Power virtual server landing zone running Power servers, or a mainframe server running transactional workloads, Badlaney explains. 

“You have to pick those wisely as you think about your cloud journey,” he says.

Badlaney recommends using private endpoints and SSL encryption to keep a hybrid cloud architecture secure.

Hybrid cloud workloads can connect to local data centers using a service like IBM Cloud Direct Link. IBM coordinates with telecom partners to configure a network setup and bandwidth.

“Then we use security mechanisms, such as virtual private endpoints and encryption, to make sure that the end-to-end pipe is supersecure,” Badlaney says. “It’s visible and private to the client.”

In addition, redundancy and secure backups are a good way to protect the healthcare organization in case a ransomware attack occurs, Moore says.

“It’s useful to have that redundancy in place for any unforeseen circumstances,” he adds.

“If you design your workloads and applications to sit on a single zone and not leverage disaster recovery and backup and all the good things that make your applications resilient, you’re going to go down,” Badlaney adds.

Compliance in the Hybrid Cloud Protects Patient Data

In a highly regulated industry such as healthcare, compliance is a key consideration when considering a hybrid cloud infrastructure. A vendor such as IBM builds controls and compliance into its hybrid cloud platforms, requiring adherence to regulations such as HIPAA or HITRUST. By using HIPAA controls, healthcare organizations can validate that their workloads are running on a HIPAA-compliant cloud, Badlaney says.

“At the end of the day, control can be a process thing; for example, making sure that your supply chain is secure,” Badlaney says. “And then there are technical controls, such as making sure every bit of data is encrypted using the industry’s highest encryption level.”

Although cloud providers help with regulatory compliance as part of business associate agreements, healthcare organizations should also stay up to date on new requirements, Moore advises. He notes that federal initiative 405(d) standardizes responsibility around security in the cloud.

“Obviously, you rely on your cloud providers to make sure they’re on top of that, but you still need to do the due diligence yourself as a buyer,” he says.

Marco VDM/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.