m. josephs - reaching for the clouds - final for distribution
TRANSCRIPT
Reaching for the Clouds ……………………………………………...
CIO, StrataCare & ISG Services
Michael Josephs
© 2013 StrataCare, LLC All Rights Reserved.
Orientation
The Public Cloud/DRP Opportunity & Challenge
Directionally Speaking
2
© 2013 StrataCare, LLC All Rights Reserved.
Orientation – Workers Compensation
Workers’ Compensation (WC) are state-legislated programs (except for federal government
employees) created to provide compensation for employees suffering on the job injuries or illness
Key Players in the WC ecosystem
– Employer: required in most states to provide employee benefits for work related injuries/illnesses
– Insurance Company: affords claims management and wage replacement, rehabilitation as well as survivor benefits
– TPA (Third Party Administrator): manage state mandated benefits for self-insured or those employers with large deductibles/retentions
– Service vendors: e.g., Document Management/Conversion, Medical Bill Review, Managed Care, Loss Prevention
StrataCare is a leader in providing Software-as-a-Service (SaaS) solutions to support the timely, accurate and secure recommended payment of medical bills for insurance carriers, third party-administrators and self-insured Fortune 500 companies for Workers Compensation related claims in accordance with regulatory guidelines (processes over 16M medical bills annually, representing close to $14B in medical charges)
3
© 2013 StrataCare, LLC All Rights Reserved.
Orientation – Workers Compensation
Workers’ Compensation (WC) are state-legislated programs (except for federal government
employees) created to provide compensation for employees suffering on the job injuries or illness
Key Players in the WC ecosystem
– Employer: required in most states to provide employee benefits for work related injuries/illnesses
– Insurance Company: affords claims management and wage replacement, rehabilitation as well as survivor benefits
– TPA (Third Party Administrator): manage state mandated benefits for self-insured or those employers with large deductibles/retentions
– Service vendors: e.g., Document Management/Conversion, Medical Bill Review, Managed Care, Loss Prevention
StrataCare is a leader in providing Software-as-a-Service (SaaS) solutions to support the timely, accurate and secure recommended payment of medical bills for insurance carriers, third party-administrators and self-insured Fortune 500 companies for Workers Compensation related claims in accordance with regulatory guidelines (processes over 16M medical bills annually, representing close to $14B in medical charges)
4
© 2013 StrataCare, LLC All Rights Reserved.
Orientation - StrataWare
• StrataWare is delivered via private cloud from an AT&T Co-Lo center
with an
• Infrastructure is designed, implemented, expanded and consistently
reviewed by large-scale SaaS hosting experts (StrataCare, AT&T, Cisco, et. al)
• StrataWare is based on a multi-tenant SOA
• Primarily leverages ASP .Net/SQL
• Incorporates MicroStrategy for SharePoint and CEP
Platform Availability: Routinely achieves 99.999% availability
Disaster Recovery: 3 hour RTO (recovery time) achieved
16 minute RPO (recovery point) achieved
SLOC ≈ 2M
5
© 2013 StrataCare, LLC All Rights Reserved.
© 2013 StrataCare, LLC All Rights Reserved.
Orientation
The Public Cloud/DRP Opportunity & Challenge
Directionally Speaking
6
© 2013 StrataCare, LLC All Rights Reserved.
Affordability: Consumption-based pricing for compute and storage services
Availability: High availability via server redundancy
Reliability: Data reliability via storage redundancy
Agility: Ability to more quickly adopt new technologies without acquiring and configuring servers, software, and supporting infrastructure.
Maintainability: Avoid back office product/server administration (e.g., upgrades, patches, documentation, backups, test restores, etc.)
Continuity: Simplified Disaster Recovery and automated Business Continuity
The Promise of the “Public Cloud”
SaaS Product Delivery Opportunities for improved cost and human efficiencies • IAAS: Scale the delivery infrastructure as/when (and only when) needed
• IAAS: Reduce infrastructure administration on production environments
• PAAS: Speed development and testing of product upgrades
• Accelerated ramp in an M&A environment
• Focus IS resources on SaaS delivery architecture and reducing deployment complexity (NOT monitoring, upkeep and tuning)
7
© 2013 StrataCare, LLC All Rights Reserved.
Challenges to Getting There
Existing SaaS Hosting Investment
• StrataCare has a substantial investment in a state of the practice SaaS delivery infrastructure which ensures availability and scalability in an SSAE 16 controlled, secure environment
• This Continuous re-investment has been necessary for expanding capacity, truly opaque redundancy and maintaining a state of the art delivery platform for ensuring performance consistency
Timing of a large scale migration to a public cloud IaaS or PaaS hosting model must be part of an acceptable depreciation calendar
Existing Sunk Cost
8
© 2013 StrataCare, LLC All Rights Reserved.
• Scheduling
– Platform patches to production can occur on a nightly/ weekly basis (for regulatory compliance)
– Public cloud maintenance windows would need to align tightly with StrataWare contracted maintenance windows
• Monitoring and Reporting
– Environment and application monitoring
– Requires vendor SLA reporting with all known issues and incidents
• Customizations (Dedicated Equipment)
– Ability to support client dropped dedicated circuits in hosting environment
Supporting these requirements would likely require highly trained cloud vendor staff and/or continued support from StrataCare IS staff
Challenges to Getting There
Admin Complexity
Existing Sunk Cost
9
© 2013 StrataCare, LLC All Rights Reserved.
Challenges to Getting There
• StrataWare is (by-and-large) multi-tenant, but there are some services tied to a single instance which would need to be addressed
• Deployment model reconciliation
• Azure PaaS does not support COM objects (which would need to be re-factored), or SSIS packages and has DB Size Limitations
Refactoring projects would need to be defined, prioritized and implemented along with other business and continuing engineering priorities
Platform Changes
Admin Complexity
Existing Sunk Cost
10
© 2013 StrataCare, LLC All Rights Reserved.
Challenges to Getting There
Ensuring the privacy of PHI in a true DRP environment to national, state and contractual standards appears to be without precedent
• Regulatory Compliance:
– Vendors talk about HIPAA, which is merely the “ante” to participate in the discussion (HIPPA BAA available for Azure)
– 46 States have their own data privacy rules, some of which go well beyond HIPAA standards (http://www.ncsl.org/Default.aspx?TabId=13489)
– Most client contracts far exceed state directives
• Audits and Transparency: Public Cloud vendor ability to support contractual mandates (policies, access controls,
monitoring, data encryption in transit/at rest, breach notification
policies, forensics, etc.)
• Liability: Lack of Cloud vendor participation in BAA’s
Other challenges only worth addressing when these obstacles can be overcome
Information Security
Platform Changes
Admin Complexity
Existing Sunk Cost
11
© 2013 StrataCare, LLC All Rights Reserved.
© 2013 StrataCare, LLC All Rights Reserved.
Orientation
The Public Cloud/DRP Opportunity & Challenge
Directionally Speaking
12
© 2013 StrataCare, LLC All Rights Reserved.
So What Are We Doing Now?
– Monitoring
National and state legislation and data privacy
– Training
Azure Certification
– Cloud and related vendor engagement
Microsoft Amazon (SME’s through gold partnership)
Amazon, IBM, etc.
Platform Readiness Planning – Removal of single tenant components
– Removal of COM objects from the platform
– Moving images from the DB to the file system
– Review cloud enabling applications and appliances technologies for image de-identification
Improvising – Evaluating various hybrid Public/Private
cloud models to address PHI security risks
– Looking into algorithms for dealing with PHI that can have utility beyond the cloud
– Participate in local and national forums
– Beginning to evaluate point solutions
• CipherCloud
• Brocade
– Reviewing other Health-Care industry solutions
Allscripts, QSI, Athena, SDS, Nimbus Health, etc.
Community Engagement & Watching
13
© 2013 StrataCare, LLC All Rights Reserved.
Some Approaches for Dealing with De-Identification
“Hybrid Cloud Model”
The most general and scalable approach would be to establish an architecture where:
(a) Key to unlock encrypted stored data
(b) Retrieve stored PHI for display
StrataWare User
a) PHI is encrypted at rest in the cloud
b) PHI is never persisted in the cloud
• Display: Retrieve PHI from private cloud
• B2B: Retrieve PHI for Payment files/EoB’s sent from private cloud
StrataCare Private Cloud
Challenge: Decryption from cloud for display
Challenge: Undermines value of public cloud
CipherCloud
14
© 2013 StrataCare, LLC All Rights Reserved.
© 2013 StrataCare, LLC All Rights Reserved.
Thank You
Information provided to this recipient is the proprietary and confidential information of StrataCare. The Information is not open to the public or to third parties and is intended exclusively for Recipient for the intended purpose, as expressed by StrataCare. Recipient may not transfer, share, duplicate, communicate or use the Information in any other manner. To protect this Information from unauthorized use, disclosure, modification or destruction, any duplication or distribution of the information herein requires StrataCare’ written permission