In the last blog of our Moving Healthcare to the Cloud series, we discussed how organizations can operationalize security in order to ensure digital assets remain protected. This blog wraps up the series and examines different ways to measure the success of your efforts to move to the cloud and keep your data secure.
We hope you have benefitted from our ‘Moving Healthcare to the Cloud’ series. Over the course of the first five blogs, we showed how to identify what steps to take in the cloud journey. It starts with focusing on the why—making the business case for moving to the cloud. We then delved into understanding which of your systems are ready for the journey and which are not.
From there, the series addressed how to assess the appropriate levels of risk for all the assets you are moving to the cloud to ensure confidentiality, integrity and availability. In our most recent blog, we demonstrated how to operationalize security. This includes the policy controls to put in place beforehand, how to monitor security, and how to react to breaches.
Some of the key takeaways from our series are the benefits of moving to the cloud, which go well beyond the cost savings. These include improved system and app availability, enhanced ability to manage risk, and increased ability to employ compensating controls and governance.
We also demonstrated how cloud environments are now just as safe—and likely even more safe—than on-premises environments. The key is to assess each of your systems and data sets to determine which ones you are comfortable with moving to the cloud, and which ones you prefer to keep on-site.
It’s then onto integrating your cloud environments with your systems that remain on-premises, and creating a security framework to protect all of your data as it travels across all of your environments. It’s all about implementing the necessary policies and controls, and then leveraging technology tools to control and manage the access of all your end user groups—including clinical staff, administrators, support staff, patients and your Business Associates.
With a plan and program in place, it’s now time to measure how well the policies, processes, and controls are working.
Metrics to Measure Success
When it comes to measuring the success of moving a portion of your IT infrastructure to the cloud, here are the key metrics to research and analyze:
-
Availability—what percentage of the time can your end users access the applications they need to interact with each other and to do their jobs? Consider the level of availability for all your end-user groups—internal and external.
-
Reliability—if a system or application shuts down, how quickly can it be restored? Is all of the data recoverable? Be sure to test regularly so you know what to expect when a real disaster strikes.
-
Performance—is the throughput sufficient so end users do not get frustrated waiting for responses? For application usage to increase and generate business benefits, the user experience is critical.
-
Capacity—does the cloud environment easily and quickly scale up and down according to the demands on each of your applications?
-
Service—when technical support issues arise, do IT and end users have immediate access to help desk support? Are issues resolved promptly? When necessary, are issues escalated?
-
Cost—keep a close eye on server utilization and “zombie” servers spun up for a specific business purpose but no longer in use. You don’t want to be paying for cloud resources you don’t use.
All of the metrics above should be backed with a clear ‘Code of Ethics.’ The most important aspect of all when it comes to the cloud for the healthcare industry is to ensure data security. Identity management, privacy and access control should be monitored closely. It’s also important to consider how well your cloud environments conform to regulations. If you fail in the ethics arena, the fallout could be cataclysmic.
For specific metrics to determine how well do you manage access and risk as well as how secure and compliant your business is, there are a wide range of numbers to look at:
-
Number of security policy violations;
-
Percentage of systems with formal risk assessments;
-
Percentage systems with tested security controls;
-
Percentage of non-compliant, weak passwords;
-
Number of identified risks and their severity;
-
Percentage of systems with contingency plans;
-
Number of successful and unsuccessful log-ins;
-
How many viruses and spam attacks were blocked vs. how many got through; and
-
How many patches have been applied.
For these numbers to be useful, you first need a baseline that examines where you stand today, perhaps recording the results over a three-month time period. You can then compare those baseline numbers to ensuing three-month time periods. The key is to move the needle in the right direction over time.
Increase Value Over Time
As you measure the success of your cloud migrations, strive to improve your metrics in each of the areas listed above so that the value of your cloud environment increases over time. As cloud technologies continue to evolve, you will also want to evaluate how your organization’s use of the cloud should change.
The things you can do today will likely pale in comparison to what you can do tomorrow!