AM I BETTER OFF IN THE CLOUD? PART 2
Written By: Phil Miller President, Integrity IT
A detailed look at pros, cons and options for moving IT services to the cloud, with special attention given to the key variables that are unique to every business.
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
Let’s start by agreeing on definitions.
Are you at the crossroads of aging computer equipment?
Although you can find hundreds of slightly different definitions for cloud, following is the one we are using for this white paper.
If you work for one of the thousands of Health Care organizations that utilized meaningful use dollars in 2011 or 2012 to pay for EMR technology investments, you probably find yourself at a crossroads right now. The equipment you purchased is now at or near 5 years old and nearing the end of its predicted life expectancy. What should you do? Do you continue down the path you chose 5 years ago, or is it time to reconsider options moving your IT systems to the cloud? You are probably going to hate this answer, but here it is – “it depends.”
“Cloud” is an umbrella term referring to internet-based computing that shares computing resources and provides data to connected devices on demand. Users have shared access to applications, servers, and services, which can make collaboration and data sharing easier.
You may also hear this referred to as “Public Cloud,” as it is open and available for anyone to use, both individuals and companies alike. Whether you are aware of it or not, you are already using cloud services in some capacity. If you have hosted e-mail, off-premise SPAM filtering, internet content filtering, e-mail encryption, offsite backups or utilize any website for business, you are already using the cloud for at least some of your businesses functions. When you have a mix of both on premise and cloud based IT applications and services, this is what is referred to as a Hybrid Cloud model. Very few companies are 100% cloud. Even those that have most services in the cloud, still have some things on-premise for reasons covered further below.
INTEGRITYKY.COM | 859.253.4284
So let’s reframe the scenario. The first question to consider is NOT “Should I go to the cloud?” The first question to consider is “Which applications and IT functions should I consider moving to the cloud, and which am I better off leaving and managing on premise?” For some of you, even more specifically, “Should I move my EMR to the cloud, or should I embrace the 5-year hardware replacement cycle and manage my EMR on-premise?”
PAGE 2
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
The answer to the cloud question is different for every company. The remainder of this white paper is dedicated to helping you assess your options and make the best decision for your organization based on a solid understanding of the variables that should be considered. We will review the many considerations, pros and cons, with examples of real-life scenarios and our professional recommendations. In addition to the research you undertake on this subject, we would highly encourage you to engage an IT provider, like Integrity IT, skilled in cloud and healthcare practices in this process so that a more exact assessment can be done. That assessment should include technical considerations, an analysis of your organizations posture on risk, and valuation of the various factors to be considered. In most cases, the decisions will come down to which of these factors are most important to your organization. Since the answer is not the same for all businesses, let us look at some of the key variables you should consider.
COST Doesn’t the cloud cost less? The biggest misconception about cloud computing is that it will always cost less than having and managing equipment on site or in a data center colocation (colo) facility. There are scenarios in which utilizing a cloud server or service will ultimately cost less. Common examples include off site backup, security filtering services such as SPAM and Internet Content filtering, etc. However, when you look more closely at the total cost of ownership (TCO) to move all or most IT Systems and functions to the cloud, it is not unusual for that to be a higher overall TCO.
INTEGRITYKY.COM | 859.253.4284
Over the past few years, several of our customers have asked us to evaluate the cost of moving their entire server/application infrastructure to “the cloud”. For some it has made sense and others not, but it has not been the least expensive option. Why is this true? Amazon, Microsoft and other large cloud providers can purchase and manage hardware much cheaper than you or we can. However, in nearly all cases, to meet their guaranteed uptimes, they must host servers and applications on a high availability platform that in most cases equates to at least 2 of every device needed if running it locally. This redundancy and premium options are often not necessary for most businesses. Another thing to be aware of when it comes to cost is that perhaps most cloud providers offer base rates on metered use of resources. Utilizing cloud services that do “metered” usage charges (i.e. AWS-Amazon Web Services and Microsoft Azure) will result in charges that may vary from month to month. For companies whose compute demands vary drastically, (i.e. running computations and reports a few days of the month) this is potentially a great benefit. However, for most of the companies we support, their compute needs are consistent from day to day, and there is no reason to pay premium rates for services not needed. A good example is the fee AWS charges for moving data in and out of their hosted platform. If you are OK with putting all of your eggs in one basket by having both your production data and backups located with single providers, then this won’t be an issue for you. But if you are like most, you want your backups in a separate location, and preferably not in the same physical location. If your data is backed up somewhere other than within AWS, you are charged for the data transfer out of their network. For some customers with a relatively small amount of data, this is not a big issue. But for larger customers, this cost can be highly variable and add up.
PAGE 3
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
GEOGRAPHIC REDUNDANCY Is the cloud better for Geographic Redundancy? Many businesses today are moving to cloud options to achieve geographic redundancy, which simply means that you want to have your data (and in some cases IT platforms) in locations that are geographically separated so that if a natural or man made disaster hit, the likelihood of it hitting both locations would be very slim. For companies that operate in areas where natural disasters are more common (such as those located on the coastline), this becomes even more of a significant consideration. There is an added price for Geographic Redundancy.
INTERNET SERVICE AND BANDWIDTH How do cloud services effect my internet speed? In recent years, we have seen the cost of bandwidth decrease drastically. We have also seen improvements and new options in our ability to control the quality of service (QOS) with our connections to the Internet, between sites and in some cases, direct connections to cloud services. As this trend continues, cloud computing will become a more realistic option for businesses. We recommend that if most or all of your applications are running in the cloud, you purchase a 2nd (failover) internet connection from a different Internet Service Provider (ISP), plus the equipment necessary to utilize both Internet circuits. That way, you will significantly reduce the likelihood of Internet related downtime. Without fast, reliable and redundant internet, the viability of moving your IT systems to a cloud provider is greatly diminished.
INTEGRITYKY.COM | 859.253.4284
No matter how good your ISP is, if setup correctly, your local network will always prove to be more reliable than the Internet. In addition, with the proper type of equipment, your local network allows you to control things that cannot be controlled where the internet is involved (such as Quality of Service, Latency, etc.). Because of this, anyone considering a cloud solution, no matter how great your cloud service provider is, should realize that moving something to the cloud will likely increase downtime. Having a dual internet connection can largely offset this consideration if setup and managed properly. If you are considering changing your internet or phone service, we highly recommend that you engage an experienced IT services provider for assistance with this decision. If it’s been 2-3 years or longer, it is very likely that you can get a significantly improved service for the same or comparable price. Don’t be fooled by ISP’s that offer you high bandwidth, because there are many “fine print” stipulations and other considerations. So don’t make the decision on your own. Lean on your trusted IT provider for assistance.
SCALABILITY What if I need more resources quickly? If your company provides services that require drastically varying compute workload demands, the near instant ability to scale up and down with most cloud solutions may make cloud the obvious choice for your company. While it is not uncommon to scale up in local and data center co-location (Colo) implementations as well, it’s the scaling back that isn’t possible. You end up continuously paying for the availability of the necessary resources to be able to scale up.
PAGE 4
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
RAPID DEPLOYMENT If your organization needs to be able to deploy new servers very rapidly and on demand, you will find that many cloud providers have mastered this piece. If your organization places a very high value on being able to do this very rapidly, then the cloud is a favorable option.
HOSTED APPLICATIONS For many companies, their first big step into the cloud is to move a single application such as CRM, Accounting or other Line of Business (LOB) application there. In many cases, hosted application providers refer to their offering as SaaS (Software-as-a-Service). Good examples of this are cloud-based EMR (ex. Allscripts), Quickbooks, Salesforce.com, Office 365, etc. It is not uncommon for this to make good business sense, especially if it is an application you are constantly having to pay to have upgraded.
MOBILITY AND EASE OF REMOTE ACCESS
better. Don’t get this wrong, in some cases it is, but for the most part these benefits are not limited to cloud implementations only. Office 365 is an excellent example of a product that is leveraging the cloud to simplify remote access to business documents, email, etc. By providing shared drive space in the cloud, real time collaboration capabilities, e-mail hosting and video conferencing and making Microsoft productivity apps (Word, Excel, etc.) a subscription rather than a one-time purchase. Microsoft has made a huge impact on the adoption of cloud for both small and large businesses alike.
SECURITY Is my data secure? For many industries (especially healthcare), security is, or at least should be, a major consideration when deciding on what to put in the cloud and what not to. It would be a mistake to assume that because a hosting provider is large, that your data is safer there. For obvious reasons, the larger the hosting provider is, the more likely they are to be the focus of attacks. However, these days everyone is at risk to the indiscriminate hackers for whom anyone with an exposed vulnerability is a worthy target. Another consideration is concerning the Business Associate Agreement and the difficulty in obtaining one from large companies (Microsoft, Amazon).
Won’t it be easier to access my data? Many companies have chosen cloud for certain systems and applications to simplify and enhance the experience of users when they are not on the corporate network. While this same experience can be easily achieved with on premise infrastructure, for some reason, people still have it in their minds that cloud will be
INTEGRITYKY.COM | 859.253.4284
PAGE 5
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
DATA LOCATION Where is my data? One of the big down sides to many public cloud solutions is that you don’t know where your data is stored, and that it is often geographically a long distance away. The number of “hoops” you go through to get to your data, and the latency (lag) between request and response can make the end user experience less than desirable at times if these measures are poor. The other consideration is that if you need your data to be accessible to you locally, it typically takes at least a day to get it to you. Another unknown is whether your data is in a shared environment or isolated, which might pose security issues.
ACCOUNTABILITY
MANAGED PRIVATE CLOUD Is a Private Cloud different? This is a type of cloud computing that delivers similar advantages to public cloud, including scalability, but through a proprietary architecture which is managed by the provider (not the customer) and which is typically more secure. Unlike public clouds, which deliver services to multiple organizations and which are typically self-service/selfmanaged, a private cloud is managed by the provider, dedicated to a single organization and typically offers a higher level of environment isolation than is generally seen in multi-tenant public cloud settings. Managed private cloud offers the agility and efficiency of the public cloud with the security of a single-tenant dedicated environment.
Who is accountable to me for my public cloud services? Here lies a big drawback to public cloud solutions. When you are dealing with public cloud providers, the bigger they are, the smaller (and less important you are) relatively speaking. They will provide you with SLA’s which you should read very closely. In most cases, you won’t like the details you read there. Who do I turn to if I have a problem with a public cloud provider? In most cases, you are going to put in a ticket through e-mail and wait for them to email you back. For most people, that isn’t good enough when nothing is working and your business is at a standstill. From core infrastructure, like servers, to applications like Office 365, regardless of where they reside, someone needs to manage them. It doesn’t just magically happen in the cloud.
INTEGRITYKY.COM | 859.253.4284
PAGE 6
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
The answer to the cloud question is different for every company. Company A was formed when 4 independent medical practices decided to create one umbrella company under which all their practices would collectively operate. Even though each of the 4 practices continued to operate independently from one another, when meaningful use dollars became available for implementing an Electronic Health Record (EHR), they decided to implement a single shared IT infrastructure (domain, email and backups) and a shared EHR. Initially, they elected to pay for having the EHR hosted by the EHR vendor, but after 5 years of ongoing problems, they decided to consolidate their entire environment in our managed private cloud. The biggest reasons they elected to
move from the EHR Vendors hosting to a managed private cloud setting was the poor support they were getting from the EHR, the poor performance they experienced on their hosting platform, and the pending large capital expenditure associated with the 5-year infrastructure replacement life cycle. Even though the hosting provider was an application vendor as opposed to a regular public cloud provider, many of the issues they experienced are the same. 1. They were running on a shared and multi-tenant hosting platform. Performance was not consistent. There were times when things ran OK and other times when the performance was very poor and not acceptable, because it was not correlating with periods of high activity at their sites. 2. The vendor was rarely able to pinpoint the cause of problems and resolve them. Instead it was always band-aid fixes, or blaming it on internet service (despite evidence that proved otherwise).
BEFORE: Here is a picture of what IT costs for Company A looked like as on premise with upcoming capital infrastructure updates.
MONTHLY EXPENSES Company A: Shared IT Services
COST $1,198
COMMENTS Email, Backups, ICF, SPAM, Etc.
Practice A - IT Support
$525
Current Monthly Fee
Practice B - IT Support
$525
Current Monthly Fee
Practice C - IT Support
$625
Current Monthly Fee
IT Support - Out of Scope Billing
$500
Current contract did not cover workstation support
* 5 Year Update Cycle Infrastructure
*$1,408
See next chart for details
Fax Lines
$120
$40 per line with taxes
Long Distance (Faxing)
$200
Estimated
Electronic Health Record (EHR) Hosting
$2,900
This is the amount EHR Vendor monthly bill will be reduced by when hosting moved to Integrity IT
TOTAL MONTHLY EXPENSES
$8,001
DOES NOT INCLUDE ISP OR TELCOM
INTEGRITYKY.COM | 859.253.4284
PAGE 7
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
* Company A had a huge capital expenditure they were facing to replace the equipment that was at or nearing its life expectancy. Here is what that looked like:
5 YEAR CYCLE
QTY
EACH
TOTAL
Servers
5
$5,000
$25,000
Battery Backups
5
$750
$3,750
Electricity ($400 per year/conservative)
5
$2,000
$10,000
Warranties - Yrs 4 & 5
10
$800
$8,000
Labor - Server Upgrades^
80
$160
$12,800
Platform Software Lic OS Upgrades
5
$900
$4,500
Faxing Software Lic Maintenance & Support
5
$1,500
$7,500
Exchange Email System Upgrade (Once Every 5 Years)
1
$12,950
$12,950
5 YEAR INFRASTRUCTURE COST
60
MONTHLY
5 YEAR COST
MONTHLY
*84,500
*$1,408
^Server software upgrade, labor will still be required every 5 years so not factored in savings AFTER: Company A moved IT services to Private Cloud, replacing recurring capital expense with recurring operational expense. Here is a picture of their monthly IT Services & Costs after moving to our managed private cloud. $7,258 Monthly (roughly $750 per month in savings) • Hosted Domain Controller with File and Print Services • Hosted Fax Service • Hosted EHR DB/SQL Server • Hosted Desktops (2 Application Servers) • Managed Backup and Off Site Storage • Email Security and Encryption • Unlimited Proactive Monitoring, Maintenance and Support of both Infrastructure and Users/Desktops • Office 365 with Hosted Exchange
In the case of Company A, the move to a managed private cloud scenario saved money and resulted in a higher level of performance and service.
INTEGRITYKY.COM | 859.253.4284
PAGE 8
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
EXAMPLE 2: Company B is a specialty medical practice with approximately 100 users. Their physician leadership team was also facing the 5-year infrastructure life-cycle replacement dilemma and was pushing for a cloud option. When asked why they felt so strongly about it, they stated “isn’t that what everyone is doing these days?” This is a clear example of the marketing effectiveness of public cloud providers. We hear this all the time from both our customers and our prospects. Integrity IT agreed to help Company B look into options and to do an in depth analysis of costs coupled with pros and cons of each option. When we compared multiple public cloud options to continuing with an on-premise solution. Following is some relevant information: A. The options compared were: • Purchase and Operate Hardware on premise • Microsoft Azure • Amazon Web Services • Rack Space • Peak 10 B. For option 1 (baseline), we included every aspect of cost including hardware, software, warranty, support allocation, supporting hardware and services (such as battery backup, rack space, cooling, electrical power, etc.) C. Here were the findings based on an estimated 50% utilization (12 Hours per day to cover operational period and backups) with the cloud provider services. Monthly Cost: Baseline = Purchase & Operate Hardware on premise Microsoft Azure: Baseline x 4.5 Amazon Web Services: Baseline x 1.81 Rack Space: Baseline x 1.79 Peak 10: Baseline x 1.82
INTEGRITYKY.COM | 859.253.4284
PAGE 9
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
As you can see in this example, taking their IT Operations to the cloud translated to roughly double the cost. Here were the pros and cons we identified that were applicable to their situation.
PROS ON PREMISE Depending on the number of users, some specific hosted applications are less costly to go cloud. Typically, this is the case if you have a very small number of users (typically 20 or less) and a system or solution that has a high base cost to deliver
CONS ON PREMISE Typically, higher total cost - usually double or more
A high bandwidth backup internet connection becomes a requirement if critical systems are hosted off site
Shifts costs from capital expense to operating expense
Cloud provider scope of support is very narrow
Ease of scalability (on demand)
Accessing applications via the cloud introduces performance elements that cannot be quality controlled and will at times result in unexpected loss of service, degradation in performance and higher frustration levels if expectations of users are not aligned with this reality. This added complexity sometimes results in not being able to determine root cause so that recurrence of the same issue can be prevented in the future. (typically 20 or less) and a system or solution that has a high base cost to deliver
Increased Collaboration & Flexibility - sometimes increases opportunities for collaboration between employees. Colleagues can sync and work on documents or shared apps with ease, often simultaneously, receiving updates in real time. Additionally, cloud computing allows each team member to work from anywhere. The cloud centralizes your data, which means that you, your employees, and even your clients can access your company data from any location with Internet access.
Involvement of more vendors, including Internet Service Providers (required for all cloud solutions) often makes it more difficult to establish accountability for an issue. This also adds to the complexity of a situation when trying to get to the root cause of an issue.
Infrastructure typically resides in very high security facilities, but details of how data and systems are secured is not provided
Loss of control over security / cloud providers frequently the target of security attacks & denial of service attacks
Typically, Higher levels of Data Redundancy
However, backups not normally included. If they are, they are typically done to a 2nd location on the same network. Backups to other data centers are typically very costly due to metered charges.
INTEGRITYKY.COM | 859.253.4284
PAGE 10
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
Bottom line: it is best to employ an unbiased and trusted IT consultant when evaluating all your key variables. As you can see from looking at these examples, the answers to the question “should we move our IT Systems to the Cloud” is complex and vary significantly depending on many variables. At Integrity IT, we have found that the Managed Private Cloud is an alternative that provides most of the public cloud benefits with fewer of the public cloud drawbacks and is often a good option for companies with 20 – 100 users. It is also true that in many situations, sticking with an on premise solution is the better route to go. We hope this white paper has helped you better understand some of the variables to consider and that having realized the complexity of such a decision you won’t just go with the option getting the most publicity these days (Cloud). Engage your trusted IT consultants to assist you in making the best decision for your organization, and if you don’t have one (or want a second opinion) please reach out to us for assistance.
• • • • • • • •
Security Filtering Solutions E-Mail Hosting (if 50 or fewer users) Companies that provide services that require drastically varying computer workload demands Need to scale up / down very quickly to respond to market demands Companies with a need for real time collaboration among persons from multiple sites. Geographic (multi-region) data redundancy Geographic (multi-region) compute redundancy SaaS (Software-As-A-Service) Application (depending on uptime/availability requirements)
WHY WE RECOMMEND USING A PRIVATE CLOUD We have moved company infrastructure (both medical and non-medical) to our private cloud hosted in our Lexington Data Center. • • • • •
Scalability / Agile / Efficient Managed by the provider Dedicated to a single organization / higher level of environment isolation Security of a dedicated environment Cost – comparable to on premise, but with flexibility, security and redundancy
CLOUD SOLUTIONS ARE OFTEN A GOOD FIT IN THESE SCENARIOS Written By: Phil Miller, President, Integrity IT
• •
Very small or very large number of users (less than 20 or more than 1,000 users) Companies with multiple physical locations or a highly mobile work force
INTEGRITYKY.COM | 859.253.4284
PAGE 11
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
CONSULTATION SERVICES
SECURITY CONTROLS
Risk Assessment
Managed IPS/IDS
•
Asset Identification
•
Intrusion Prevention System and Intrusion
•
Threat Identification
•
Detection System
•
Vulnerability Scans: Internal and External
•
Controls Assessment: Physical, Technical, Administrative
Managed SIEM/USM
•
Gap Assessment, Prioritization for Remediation
Business Continuity and Disaster Recovery Planning •
Business Impact Assessment
•
Recovery Point Objective: Backup Strategy
•
Recovery Time Objective
•
Security Information and Event Management System
Vulnerability Scans •
Quarterly and Ad-Hoc Internal and External Scans
•
Reporting
•
Mitigation Recommendations
Phishing Campaign
HIPAA Compliance
•
Periodic Validation of Employee Training
•
Annual SRA Completion
•
Policies and Procedures
Penetration Testing
•
BAA Templates
•
Executive Summary and Technical Report
•
Single or Recurring Engagement
Employee Security Awareness Training
PII PR TECT
•
Speaker Program
•
HIPAA Assurance Web Portal
•
PII-Protect Web Portal (non-HIPAA)
•
Phishing Campaign (PII-Protect or DUO)
VCISO (Virtual Chief Information Security Office) •
Establish your Security Vision
•
Determine and Prioritize Security Initiatives
•
Reduce Risk with Ongoing Security Improvements
Incident Response and Breach Investigations •
Response and Remediation plans
•
Communications and Management
•
Lessons Learned
INTEGRITYKY.COM | 859.253.4284
Encrypted Email •
PII and PHI Requirement
Internet Content Filtering •
Block Malicious Sites
•
Help Control Your Internet Bandwidth Use
Multi-Factor Authentication •
Add a Second Layer Of Security to Strengthen Access to Vital Systems
Custom GPO’s (Group Policy Object) •
Security Focused GPO’s: Account Hardening, Ransomware, Pass the Hash Mitigation
PAGE 12
AM I B ETT E R O F F I N T H E C L O U D ? P A RT 2
“Baptist Express Care has 18 locations and over 100 users, and we rely on a stable IT environment to access patient information. Integrity met all project deliverables on time with an excellent product. I could not ask for a better IT partner; they’ve been crucial to the success of our business.” –– Michelle Saborit, Director, Baptist Express Care
TRUSTED TECHNOLOGY. STRONGER SECURITY. BETTER BUSINES S.
INTEGRITYKY.COM | 859.253.4284 3080 HARRODSBURG ROAD, SUITE 104 LEXINGTON, KY 40503
PAGE 13