If cloud technologies and software-as-a-service (SaaS) solutions are to be successful in gaining a foothold in medicine, then open questions must be critically addressed. We would like to set important impulses on these issues in the VIEW. We therefore approached Bernd Schütze - and received answers that were as unvarnished as they were profound and valuable in practice. Bernd Schütze heads the working group on data protection and IT security in the healthcare sector at GMDS1, he studied medicine, computer sciences and law and completed additional training as a data protection specialist.
Mr. Schütze, how do you define cloud solutions?
Bernd Schütze: Basically, the cloud is a marketing term which refers to data processing in one or more data centers. No cloud without a data center. Add to this a software which, if you will, breathes life into the data center by providing functions for decentralized use. In other words, it provides for networking and ensures that data are transformed in a balanced manner or enables client-dependent distribution. The idea behind the cloud is that institutions can purchase or rent resources at will, rather than setting up and operating the resources themselves.
Until now, the cloud has been frowned upon in medicine. Is this still the case, or has the cloud's reputation in terms of security improved in the meantime?
Bernd Schütze: Yes and no. Fundamentally, in healthcare, we need to look closely at the location of the data center and the data processing. Social legislation imposes strict legal requirements on hospitals.
Apart from that, a cloud is not more secure per se than processing in your own data center. In our context, we speak of an external, in other words, an outsourced, cloud. This means that the data center is not operated by one's own employees, but that external personnel are involved at a possibly unknown location, which initially means less security in processing, as one relinquishes part of one's control options.
Nevertheless, outsourcing can prove to be an advantage from an IT security perspective, as larger providers have quite different staffing options and can set up IT security teams that do nothing else but deal with current security alerts. Due to the shortage of specialists and budget constraints, hospitals often have difficulty in finding IT security officers and other specialist personnel from the IT security environment who can deal exclusively with this issue.
However, IT security is only one aspect when it comes to the question of the cloud. Another is how cloud-based SaaS solutions can be integrated into the workflow. This requires very good insights into how work is performed in the individual hospitals. And this is where an own IT team scores by a wide margin. The reason being that hospitals are not all the same, even though many medical procedures are standardized. However, the processes in the respective hospitals are far from being the same.
While manufacturers are good at mapping the average customers and their requirements, they cannot address the rather individual specifics of each customer with their rather generic SaaS solutions. In practice, this can lead to facilities having to adapt to a cloud-based SaaS mainstream solution which does not fully cover the individual needs of their own hospital. The blanket statement by manufacturers that they can operate the software better is therefore far from always being true and must be considered on a case-by-case basis. The argument that IT systems are these days too complex to be operated in-house is equally misleading.
In your opinion, what are the questions healthcare facilities should ask themselves to find the right answer to the question of the added value of a cloud?
Bernd Schütze: An important point when assessing whether the externally operated cloud has advantages over an on-premises operation is certainly the size of one's own IT team. Small health facilities with short-staffed IT departments can benefit from solutions in the cloud. Many services are outsourced here anyway, and the cloud is the logical next step. University hospitals, on the other hand, with somewhere between 50-100 IT staff, can confidently and justifiably claim that they are not overburdened by operating a software. This means that other convincing arguments are needed for the use of SaaS solutions from the cloud.
And which could these be?
Bernd Schütze: The crucial question is availability. It has definitely happened that the cloud services of major providers were not available in certain parts of the world. So if a manufacturer of SaaS solutions hosts its software in the cloud in this part of the world, then one has a serious problem. Just imagine the PDMS systems failing in several German hospitals for a few hours! An availability of 99.9 percent is therefore not necessarily good news if the 0.1 percent residual risk occurs en bloc.
And anyway, one needs to raise the question as to how many suppliers are in fact involved and which manufacturer provides which service. In concrete terms: do cloud and software come from a single source, ideally from Germany? This is advantageous as local requirements can then be addressed more flexibly, and "GDPR compatibility" would then also be assured. Furthermore, there is then presumably only one contractual partner, which makes it safer for the hospitals in case of doubt.
This is different with SaaS providers, who only supply the software, but use the cloud service of one of the major U.S. providers. Here, the cloud must be used as offered, no special provisions can be incorporated into the contracts. Furthermore, the software provider then acts as the general vendor, but the healthcare facility is ultimately dealing with two contractual partners despite having a single general vendor. This can then become a problem if the legal framework in one's own country changes and specific cloud providers may no longer be used. The question then arises as to whether the cloud can simply be swapped or whether this may not be possible at all due to interlocking of the interfaces. Then things can get rather precarious, too.
Thank you for the interview!
"However, IT security is only one aspect when it comes to the question of the cloud. Another is how cloud-based SaaS solutions can be integrated into the workflow. This requires very good insights into how work is performed in the individual hospitals."
Dr. Bernd Schütze
Head of the Working Group "Data Protection and IT Security in Healthcare" (DIG) of the German Society for Medical Informatics, Biometry and Epidemiology e. V. (GMDS)
1 German Society for Medical Informatics, Biometry and Epidemiology e.V.