The data-intensive nature of radiology has long kept the specialty on the cutting edge of IT. That’s why cloud computing is a relatively old concept among imaging-informatics veterans. While the term might be showing signs of wear, its applications are just getting started. Teleradiology and other forms of telemedicine are generally good uses for the cloud. Others include image sharing within and across enterprises, as well as what James Philbin, PhD, calls visualizing information, which amounts to clinical and diagnostic viewing from the cloud. Philbin is codirector of the Center for Biomedical and Imaging Informatics at the Johns Hopkins University School of Medicine. He says, “Radiologists can read a cardiology study from another hospital in their system that’s 500 miles away or 30 miles away; physicians become independent of the location where the imaging study is actually performed. That’s where you’re going to have the biggest impact—and work can be scheduled for people at different locations across an institution.” To reduce the cloud to mere hardware or software is a disservice, in 2013. William F. Rowell, vice president and CTO, Companion Data Services (CDS), says, “There is so much misinformation out there stating that the cloud is technology, but it is not. Cloud computing is a business decision on how you will consume IT resources. It is multiple delivery mechanisms for IT services.” Within this broad realm are public, private, community, and hybrid cloud versions that are all essentially methods of service delivery. From a radiology perspective, the cloud can provide a central area where images—and image-management and visualization systems—can be securely located. Playing It Safe Why, then, isn’t more health-care information deployed to a cloud? Security concerns are shared by all data-sensitive industries, including energy and finance. While those industries have addressed this concern by deploying the more expensive option of private clouds, too much security limits accessibility in the health-care sector (and increases cost). Rather than inhibit accessibility, Rowell believes that cloud security should make possible the use of images in a more community-oriented manner. He explains the use of a community cloud (versus a private/public cloud) regularly to CDS clients, including CMS, in an effort to lessen the complexities of securing data in a public cloud—and to lower the cost of a private cloud. Today, CMS uses a private cloud and traditional hosting. Rowell points out that switching CMS to a community-cloud concept would be no small change, considering that CMS, the DHHS, the Centers for Disease Control and Prevention, the National Institutes of Health, and other health-care agencies would have to come together to reduce cost and increase flexibility. According to Rowell, CDS is one of three enterprise data centers (CDS, HP, and IBM) for CMS. CDS processes 62% to 65% of Medicare claims for the nation. In the same data center, CDS hosts the CMS National Level Repository (containing information about meaningful-use participants and payments) and the 1-800-MEDICARE National Data Warehouse. “The public cloud is not considered a residence where sensitive data should be placed, due to the increased risk of exposing the data,” Rowell says. “Therefore, the approach is being taken to deploy private clouds,” which are open only to the users who create them, he explains. In Rowell’s experience, private clouds are an expensive option that not all providers and organizations can undertake. This is where a community cloud brings value to users. “The community cloud is like the public cloud in that resources are pooled and shared; thus, it costs less than the private cloud,” he explains. “If it costs less, and more members continue to reduce rates, the adoption level is higher. Likewise, the community cloud provides the security of a private cloud for its members—again, encouraging more consumption.” Private clouds are secured based on the requirements of the consumer and of the cloud service provider. Since there is no sharing of storage, network, and computer resources, the consumer pays a higher price. “Public clouds are just that,” Rowell adds. “They are open to anyone with a credit card, and the security is always an unknown. The prices, however, are normally commodity based. Community clouds are the best of both worlds, but the most difficult to get started. The issue here is finding a community of interest that has members wanting to join together to determine a risk profile that all can live with—and then, to share in the cost savings.” The Technical Side Security mechanisms employed to protect sensitive imaging data are generally the same as those used for HL7 data. Rowell describes these measures as a guiding architecture that positions a security perimeter around the data, providing layers of security (defense in depth) between the potential consumers of the data and the data themselves. This concept also includes identity management. “The differences can be within the application that is delivering the service, such as an imaging application,” Rowell adds. “There is a level of security responsibility that is placed on the application developers to ensure that they also protect the data they are presenting to consumers. It is here that you may see differences in security between an image and HL7 data, in a few ways—such as in the requirements for the application and the developer’s maturity in the security milieu.” From the CDS standpoint, a community cloud is only effective if it meets the needs of its members. Therefore, it can be “a little difficult to pre-position a community cloud, without knowing the members that would be using it. The CDS approach is, first, to locate a community of interest—providers, payors, or others—sharing a set of common objectives and willing to support the good of the community (versus themselves),” Rowell says. Once this community of interest is established, the IT provider can begin to determine the required security posture. According to Rowell, once the provider/payor environment is known, baseline security comes down to three components. The first is encryption that would be applied for sensitive data, at rest and in flight, using an encryption system that at least supports the AES-256 algorithm. The second is an authentication mechanism that, at a minimum, serves as a role-based system that supports the ability to enforce a multifactor authentication process. The third is the existence of policies and procedures that follow National Institute of Standards and Technology (NIST) guidelines, such as those of Special Publication 800-53¹ (SP800-53). Rowell notes that NIST SP800-53 includes different controls for various security levels (high, medium, and low). Another minor security concern, he adds, is the concept of a security-attack surface: the portions of a secure system—in this case, a community cloud—that are exposed to the outside world. “If there are many geographic sites,” Rowell says, “the security-attack surface is expanded.” The Right Environment In its work with CMS, CDS provides the environment where an imaging application can be deployed. As it has done with CMS, CDS can provide an infrastructure environment where a radiology application could be securely deployed, managed, and used to deliver direct value to the health-care community. “We don’t sell or offer an imaging system, but instead, we provide the infrastructure and environment where that imaging system can live,” Rowell explains. “We see a community of interest that could be formed by those sharing images in the provider world. It allows radiologists to increase security and reduce the costs of the image information.” Philbin agrees with Rowell that the potential to reduce costs significantly using the cloud is there—but it’s buyer beware, in many cases, because third parties are trying to capitalize on users’ interest. “Vendors are trying to make as much money as they can,” he says. “Over the next five years, however, it’s going to become significantly cheaper to use a cloud-based PACS than to buy your own hardware and maintain the PACS yourself. When you add up the total cost of ownership, I think it will be 25% cheaper to use the cloud.” Due to the economies of scale routinely found in today’s large-scale business models, many facilities can realize these savings. “Today, a hospital with 90 radiologists probably has 120 workstations for radiologists,” Philbin says. “Each one is a separate computer, but when you go to the cloud, you can use virtual machines and probably lower that number from 90 to 10. You can manage things more effectively if they are virtual machines in a cloud than if they are physical machines, out in the field.” From a physical-security point of view, having fewer workstations means that there is a reduced risk of unauthorized access to patient data. “A lot of equipment walks away, in a health-care environment,” Philbin adds, “and you’ll have a HIPAA event if equipment walks away with patient data on it.” Philbin favors an open-source framework that provides excellent security and flexibility. It’s a software-development environment that is in the cloud and that allows Philbin to work remotely. “Most of the Web is running a cloud (remote services), these days,” he says. “We’ve been building cloud-based vendor-neutral archives (VNAs) at a startup joint venture. VNAs are likely to be the first place that medical clouds have an impact. The second place is image sharing.” Boosting the Odds Like all new endeavors, realizing anticipated cost savings might take time. Prior to investing time and money, Rowell recommends that administrators assess their hardware, software, and intellectual capital. “You must ask, ‘Do I have the IT skill set that can maintain a system and its security?’” he says. “That’s a talent set you would have to acquire, and that adds costs.” Asking members of the existing IT staff to shoulder the burden might move them into an area outside their core competency, Rowell says, taking time away from their health-care work. The other necessity is the staff’s ability to trust the cloud enough to relinquish control. Getting several aspects of the community’s imaging operations into the cloud configuration is one way to avoid problems—and make the change work, the first time. “If you have a community come together in a place where it can deploy these applications—and trust that they are secured—it can get a reduction in price, versus the centralized view of things,” Rowell believes. “It’s a lot more cost effective to do it one time and secure it than to have 20 providers doing it themselves. That’s 20 implementations versus one.” The full purpose of the cloud, in many industries, might well be to let the cloud-service provider take most of the responsibility, as a third-party specialist. “That’s how you drive the cost down,” Rowell says. “You become specialized, standards based, and efficient.” At Physicians Medical Group of Santa Cruz County (Santa Cruz, California), which operates the oldest health information exchange (HIE) in the country, main servers are hosted in the cloud by the group’s vendor. Bill Beighe, CIO, reports that the overall investment amounted to about $1.2 million in startup funds the first year, with ongoing running of the HIE adding up to $750,000 per year. That figure includes all vendor fees, cloud fees, and staff time needed to build and run interfaces with electronic medical records. The HIE serves its users radiology reports and virtually all clinical data exchanged across the community of care—including laboratory reports, narrative reports, and consultation notes. The HIE makes data-backed transitions of care possible, and more than 700,000 electronic referrals and transitions of care have been performed since the exchange began operating, in 1996. “We connect to five different radiology centers through the HIE,” Beighe says. “The ability to perform a referral, order across facilities, and share radiology reports through the HIE/cloud is the key to moving patients’ care among primary-care physicians, radiologists, orthopedic surgeons, and others who need to see reports. The stakeholders are evaluating community-wide VNA solutions, in addition to currently installed PACS implementations.” Radiology Image Exchanges George Tudder, MBA, CIIP, is director of Imaging Informatics at University Hospital in Salt Lake City, Utah. He describes the cloud as centralized storage that is decentralized from the enterprise. A radiology image exchange, for example, would “send images into the cloud and then give access to those who are in need,” Tudder says. “Those in need could be other radiology departments, referring physicians, or even patients (who can have those images sent into the cloud, where they can download them and/or forward them to someone else). This would take the place of fetching a CD.” Eliminating the patient-as-courier mentality could do away with several time-wasting transactions. “Today, I walk in with a CD, and perhaps I get to the appointment at 11 am,” Tudder explains. “I hand over my CD, and now the physician must take 10 minutes to look at those images. Now, it’s 11:10, and I’m still waiting in the exam room.” In a more efficient workflow, physicians could have all images prior to the patient’s arrival. Then, when the patient arrived at 11 am, the physician could immediately consult the images, even showing them to the patient and pointing out areas of concern. “The viewer is basically attached to the cloud,” Tudder says, “and you can pull those images right into the room.” Tudder points out that in emergency cases, initial images can be sent to the cloud and then downloaded by the trauma center, where clinical planning can occur while the patient is en route. “Without the cloud, patients arrive with a CD. Sometimes, you can’t get that CD’s files to open properly,” he notes, “so you repeat the study. The cloud prevents this repetition.” At this point, the disadvantages of using the cloud are minimal—and perhaps nonexistent, Tudder believes. “I can’t think of a reason to hesitate in implementing a cloud. We can save patients time and keep them from having to be the mule who takes a CD from location to location. It will save money, in terms of how many times you send images by courier to hospitals or referring physicians. When extrapolated across the country, these relatively small costs will add up,” he says. Tudder’s hospital has been using what he describes as primarily a community cloud for image management and transfer for the past two years. The project started with two or three hospitals sharing images electronically, and that number ballooned to include more than 180 hospitals in a five-state area. The members share all of the costs. For Tudder, security has been a major concern, all along. “We vetted a number of options, including creating our own service, and felt it was much more secure to work with a vendor in the industry,” he says. “Working with a vendor also improved the acceptance, by other practices, of the technology—allowing for a more immediate return on investment.” Prior Studies The future, Tudder says, is likely to feature the ability to search the cloud across multiple entities to improve patient care. This improved search function could help in situations where patients are unaware of the location (or even existence) of prior studies. Efficiencies such as these are rarely overlooked by insurance companies, and Tudder expects more companies to support cloud-based incentives. “The cloud will help reduce duplicate exams,” he says. “A lot of states are supporting HIEs, but we can’t have 50 state HIEs that can’t talk to each other. Cloud technology would help make those geographical exchanges easier, both nationally and internationally.” Philbin agrees that the cloud has the potential to make CDs a thing of the past—replaced by a patient record aggregated across enterprises. “If you have your exam done in an outpatient imaging center, and then, you go to a hospital in a different company, you carry a CD or film,” he says. “The cloud has the potential to eliminate all those physical media and make all your images and prior studies available at other enterprises, even though they weren’t taken there.” Philbin estimates that within the next five years, the cloud will eliminate 95% of CDs and virtually all film. At that point, physicians will be efficiently accessing prior studies and making better (and quicker) diagnoses. Rowell believes that the movement toward community-based clouds will start to take hold, but many people are now implementing private clouds. “They will eventually see the value in community,” he says. “As the cloud technology matures and the security aspect improves, it will lessen that hesitation, and people will start adopting it more.” He continues, “I think, in 2013, you’ll see the adoption rates go up because people will be more comfortable with the security that can be delivered by service providers and the guarantee that service providers can bring to the table. Private clouds will still be the primary version, but the size of the community-cloud group will start to increase.” The financial and energy sectors are overcoming security issues in the cloud by deploying private clouds instead of working with public cloud-service providers, Rowell says. “They are getting the benefit of the cloud delivery model—its standardization and elasticity—but they are paying a higher price because it is private and dedicated,” he says. “Another way is a hybrid-cloud approach: Users keep their most sensitive information private, but when things are ancillary, they will place them into a public cloud, leverage that cost, and get the flexibility of a public cloud.” Mobile Momentum The mobile revolution virtually ensures that medical images and software will be available on any mobile device, in the future. “Because medical imaging studies are big, the model has always been to move data to the workstation,” Philbin notes. “By moving rendering engines into data centers in the cloud, you need far fewer computing resources on the client’s side. Instead, you’ll have a tablet where physicians can see medical images as easily as they can see the text record.” Diagnostic interpretation can’t be done on phones (yet), but iPad 3 Retina™ displays (assuming that they are calibrated correctly) are appropriate. They offer resolution levels high enough for diagnostic use, and FDA-certified apps are available for those devices. Ultimately, whether the cloud is called private, public, community, or hybrid, Philbin says, the vendor community has used the word cloud so much that a bit of confusion is inevitable. “Today, for a company to do business, it almost must have the word cloud in its name or in the product,” he says. “The product may have nothing to do with what the cloud is, but the company uses the term. We, as a vendor community, still need to come together more and define what the cloud is—and is not—for consumers. After that, we must clearly illustrate its benefits.”

Greg Thompson is a contributing writer for Radiology Business Journal.