From Theory to Reality: Building a Secure Cloud Environment for Diagnostic Imaging
Kristina Kermanshahche Chief Architect, Healthcare Intel Corporation February 2012 Patrick Koch
Business Director, WW
Vue Cloud Services
Carestream Health
Agenda
• Intel Secure Healthcare Cloud:
• Healthcare & Cloud Computing Trends
• Core Requirements & Design Considerations
• Strategy for Adoption
• Technology-Differentiated Services
• Carestream Cloud-Based Diagnostic Imaging:
• Challenges & Benefits
• Industry proof points and usage models
• Architecture & Infrastructure
• Demo
2
Healthcare &
Cloud Computing Trends
3
Evolution of the Datacenter
Cloud
Infrastructure
Network Storage Compute Security
Datacenter facilities (e.g. cooling, power)
Compute Storage Network Management
Unified Network
Servers Storage Arrays Mgmt
VM VM VM VM
Discrete Datacenter
Virtualized Datacenter
Cloud Datacenter
Efficient and Secure Open Architecture Flexible Network Flexible Management
10G Unified Network Consolidation
Discrete networks
4
• Enormous economies of scale
• Efficiencies in size; buying power, infrastructure, power consumption
• Unparalleled resource utilization Efficiency
Agility
Availability Services
• Improve provisioning time from days to hours
• Automate workflows to enable consistency, agility and elasticity
• Pay for the resources you actually use
• Deliver high availability for all workloads, regardless of location
• Protect IP, data and differentiated business processes
• Provide secure, broad network access on authenticated devices
• On demand, self-service portal to streamline business processes
• Establish measured services for VM utilization, health and usage
• Apply actual application consumption for IT capacity management
High-Level IT Strategies and Goals Business
Benefits
Healthcare Utility &
Value-Add Services
• Address scarcity by effective allocation of resources & expertise
• Leverageecosystem for non-core competencies, achieve economies of scale
• Accelerate standards adoption through lower barriers to entry
• Build the network value modelof exchange
Cloud Computing Business Drivers
5
The Rise of Healthcare “Big Data”
6
• Diagnostic Imaging
– Average hospital requires 175TB for images & clinical records.
Consumes additional 15 TB annually
1. Data archive for 20+ years.
– In 2006, primary copy storage for all U.S. imaging = 24 Petabytes (assumes no duplication for RAID, archive, disaster recovery)
2– By 2014, US primary copy storage expected to reach 100 Petabytes
2• Genomic Data
– The Human Genome consists of 3 billion base pairs, unannotated, requires 3 Gb of storage uncompressed
3– In 2007, Baylor College of Medicine required 125 TB, with projected 25-fold increase in storage over the following two year period
4– Digital data projected to reach 35 Zettabytes by 2020, a 44-fold increase from 2009 5
1 John Halamka, CIO, Beth Israel Deaconess, http://geekdoctor.blogspot.com/. 2 “Prepare for Disasters and Tackle Terrabytes When Evaluating Medical Imaging Archiving,” ©2008 Frost & Sullivan. 3 Human Genome Project FAQs, http://www.ornl.gov/sci/techresources/Human_Genome/faq/faqs1.shtml. 4 Baylor College of Medicine, Human Genome Sequencing Center, http://www.cwhonors.org/viewCaseStudy.asp?NominationID=340. 5 IDC Digital Universe Study, sponsored by EMC, May 2010
Core Requirements &
Design Considerations
7
Neurosurgeon views imaging studies, latest lab results;
consults with Radiologist, Specialists
Specialists agree on treatment plan with Neurosurgeon
& Radiologist Patient arrives
at ER with complications from brain tumor
Radiologist analyzes current MRI, compares with prior
imaging study from remote hospital
ICU nurses view imaging studies,
update chart with patient vital signs, status
Cloud Vendor Neutral Archive
Care Coordination Use Case
Smart Phone
Shared Workstation
Laptop
Operating Room Radiology
Emergency Room
Client-Aware Cloud Trust Broker
Intensive Care Neurology
1 2 3 4 5
8
Barriers to Healthcare Cloud Adoption
• Data protection and regulatory compliance require data transparency
• May prevent PHI from being hosted in another country
• May restrict or prohibit trans-border flow of information
• Onsite data centre audits may be impractical for cloud providers
• SAS 70 Type II/SSAE16 certification, ISO/IEC 27001
• EU Directive 95/46/EC or HIPAA-compliant cloud providers
• Service-model dependent
• Provisioning & automation software built against proprietary APIs
• Cost of entry may be low, cost of exit may be high
High-Level IT Areas of Concern Business Concerns
• Must protect sensitive information at rest and in transit
• Costs associated with data breach are rising
• Cloud services and virtualization break traditional perimeter- oriented security techniques
Vendor Lock-in Auditability &
Compliance Data
Transparency Security &
Privacy
9
General Deployment Considerations
Availability
– Service Level Agreements, Recovery Time Objective (RTO), Recovery Point Objective (RPO) – Application Architecture, Fault Tolerance, Network Design
– Business Continuity / Disaster Recovery plans
Network Design
– Network dependency / carrier diversity
– Suitable, geographically-dispersed, failover data centers
Performance
– Workload peak/min sizes & variability, network bandwidth, performance constraints – Monitoring, Notifications & Alerts
– Start-up costs (cloud on-boarding) & risks of vendor lock-in
Regulatory
– Data Protection Regulations & Locale Constraints – Data Loss Prevention, Breach Notification
– Independent Attestation
Security
– Defense-in-depth, boundary controller, secure perimeter requirements
– Multi-tenancy risks & benefits, application security, end-to-end security model – Isolation vs. efficiency (security vs. cost tradeoff)
– Administrative, Physical and Technical Controls
Governance
– Availability of IT expertise, Training & Employee Policy – Security & Privacy policies, governance
– Risk Assessment & Mitigation
10
Secure
Healthcare Cloud:
Strategy for Adoption
11
What is Secure Healthcare Cloud?
• Strategy for adoption with phased implementation
• Best practices, standards and technologies
• Design principles, deployment considerations, and governance models
• Worldwide program, key learnings, virtualization labs
• Industry alliances including:
– Intel
®Cloud Builders
– Open Data Center Alliance (ODCA)
– European Network & Information Security Agency (ENISA) – Cloud Security Alliance (CSA)
• Comprehensive set of latest security technologies &
solutions covering end-to-end cloud deployment models
• Robust set of ecosystem partners to deliver complete solutions
12
Secure Healthcare Cloud
Defining Characteristics
Highly Available
– Designed for failure, mitigate risk of data loss, minimize potential for business disruption, tiered service levels, mutually contracted SLAs
– Geo-dispersed data centers, redundant and diverse network carriers – Failover/load balancing, stress testing for scalability and performance
Highly Secure
– End-to-end security design, assess the risk profile of backend systems, the network, identity assurance levels, and potential endpoint devices
– Multi-Tenancy by design. Designed for breach and other failures, establishing a multi- layer and defense-in-depth approach
– Physical, technical and administrative controls including application security and
identity management, encryption at rest and in transit, provisioning, and backup, loss recovery, and secure destruction
– Compliance with international regulations on safe handling of protected information
Highly Transparent
– Data federation services which isolate, secure, enforce sensitive workloads, as well as establish evidence of consistent management practices
– Independent attestation of security profile of underlying hosting environment, evidence of consistent policy and security enforcement
– Compliance with international audit standards
13
Adopting Secure Healthcare Cloud
Current
Private Networks
Build/Grow Network of Private Clouds
External: Internet Business
Core
Utility
•Identity Service
•Controlled Terminology Service
•Clinical Data Repository
•Transformation &
Normalization
SaaS
•Scheduling/Triage
•EHR
•Care Coordination
•ePrescribing
•ePathology
•Life Sciences – private / academic Legacy Environments
Internal Clients
External Clients
Utility
Interim
Private + Limited Public Cloud Federated Query/Identity
External: Internet
Utility
•Service Directory
•Record Locator
•Trust Fabric with trading partners
•EHR Portals
•Orchestration
•Mediation
SaaS
•Claims Processing, Adjudication
•Disease Registries
•Knowledge Base
•Public Health
•Diagnostic Imaging
•Quality Reporting Legacy Environments
Internal Clients
External Clients Trading
Networks Utility + Service
Future
External: Internet
Ubiquitous Hybrid Health Cloud
Utility
•Master Consent &
Authorization
•Broad
Deployment Trust Fabric
SaaS
•Clinical Decision Support
•Disease Mgmt
•Secondary Use
•Clinical Trials
•Translational Medicine Network Effect Drives Innovation
Legacy Environments
Internal Clients
External Clients
Value-Add Data Services Trading
Networks
Overcome scarcity by leveraging expertise and capacity in the cloud
14
Technology-Differentiated Services
15
16
* Other names and brands may be claimed as the property of others. Copyright © 2009, Intel Corporation.
Architect for the Cloud Today
Efficient
World class energy
efficiency
Open
Multi-vendor innovation with compatibility of
solutions
Secure
Data protected at rest and in transit
Simplified
Flexible IA infrastructure and unified networking
Driving Technology Leadership to Enable the Cloud
Refresh with Intel® Xeon®
5600 and Node Manager
Deploy interoperable solutions and support
standards Intel Trusted Execution
and Virtualization Technologies
Intel® Xeon® for servers &
storage Deploy 10GbE
Healthcare Big Data Moves to the Cloud
10TBs of Diagnostic Images for one type of test
No encryption No data protection No Federation
Forklift for capacity
Compression 50% savings1 Erasure code 29% savings1 Deduplication capabilities savings up to 70%1
The cloud provides cost efficient capacity scaling
data upload
data store
encryption algorithm
dedupe algorithm compression
algorithm
Intel® Xeon® Enables:
Dynamically Available Capacity- scale to the cloud
Added Data Protection &
Sophisticated Capabilities Federated Data Access Across Medical Networks
erasure coding algorithm
Efficiency & Scalability
79% Disk Savings
1Medical Imaging
1 Intel calculations based on industry numbers for compression & erasure code
17
Ubiquitous Data Protection with Intel ® AES New Instructions
Secure transactions used pervasively in e-commerce, banking, etc.
1
Full disk encryption software
protects data automatically during saving to disk
2
Most enterprise applications offer options to use encryption to
secure information
3
Internet
Intranet
Secure transactions on Internet and Intranet
Full-disk encryption protects data on hard disks
Application-level encryption for automation and granularity
Name: J.Doe SS# ζ…χ∀∃
2 1
3
Allows broader use of encryption for better protection of sensitive health information
18
Carestream Cloud-Based Diagnostic Imaging
19
(Some of) CIO’s issues with their imaging IT
• Ensure Availability of Patient Data over a Lifetime
• Manage Unpredictable TCO with Unexpected CAPEX
• Enable Physicians Collaboration across Sites & Systems
20
How Do You Care For Your Data ?
© 2011, Carestream Health
• Is Your Infrastructure capable of hosting your data securely on-premises?
(power redundancy, air/con, security, fire detection & extinction, etc)• Is Your IT Team adequately skilled and staffed to adapt to ever changing retention and security requirements ?
• Is Your Architecture protected against technology
obsolescence across the lifetime of data ?
(software, servers, storage, etc)21
Does Your PACS [Archive]
Cost You Too Much ?
• Continuous expansion of storage capacities to absorb the exploding production of imaging data
• Upfront capital investment in capacities which stay unused and idle during most of their lifetime
• Unpredictable Total Cost of Ownership over the lifetime of data
(Investment, Maintenance, Expansion, Migration, Replacement)22
Are Your Physicians Able to Share & Collaborate ?
• Ever frequent demand to get faster results on-site or on-the-go
• Integrate radiology workflow between disparate legacy imaging systems across multiple distant locations.
• Simple single-point of access to patient’s imaging record across the continuum of care for the community
23
© 2011, Carestream Health
Vue Cloud
Now Introducing…
LIBERATING TECHNOLOGY.
24
p.25
© 2011, Carestream Health
A New Delivery Model for Software
Cloud-based Services
Ownership Usage
Do-it-Yourself Service Level
Agreement
Cloud-based Access Point-to-Point
Access
25
A Portfolio of Innovative Cloud Services
Vue Cloud
by Carestream Collaboration-as-a-Service
Teleradiology-as-a-Service
Cloud Portal
PACS -as-a-Service
Archive-as-a-Service
Regional Hospital
Physician’s Office Reading Center
Rural Clinic
University Hospital
26
No change Vendor Neutral Infrastructure
Hospital
Physician’s Office
Carestream’s Responsibility Customer’s Responsibility
Service Boundary
Virtual Private Network (VPN)
Cloud Portal
Carestream Service Access
Point (local cache adapted
to needs)
Remote monitoring 24 X 7
Vue Cloud Platform Operated by Carestream
In a Tier -3 Data Center
• Active Archive
• Disaster Recovery
• Unlimited retention
Vue Cloud
By Carestream DICOM
[PACS, modalities]
Local Access (LAN)
HL7 [RIS, HIS]
IHE XDS-i [ECG, jpg, mpg
pdf]
Remote Secure Access
27
No change Vendor Neutral Infrastructure
Hospital
Carestream’s Responsibility Customer’s Responsibility
Service Boundary
Virtual Private Network (VPN)
Cloud Portal
Service Access Point (local cache adapted
to needs)
Remote monitoring 24 X 7
Vue Cloud Platform Operated by Carestream
In a Tier -3 Data Center DICOM
[PACS, modalities]
Local Access (LAN)
HL7 [RIS, HIS]
IHE XDS-i [ECG, jpg, mpg
pdf]
Remote Secure Access
Behind the Cloud
Cloud Services Platform
Vue Cloud
By Carestream Application
Servers
User Mgt Statistic Reporting
Audit &
Security
Proactive Monitoring
Database Servers Primary
copy
Disaster Recovery copy DMZ
28
Tufts Medical Center, Boston Long Beach Memorial, CA CHR Orleans, France Nij Smellighen, Netherlands Schwarzer Baer, Hannover CMS Tokyo Group
Vue Cloud
A Proven Global Platform
29
p.30
© 2011, Carestream Health
Community Hospital Going Cloud Archive
Customer Profile
•
Busy 200 bed community Hospital•
Doing over 200,000 Diagnostic Radiology Studies per year•
Needed increased IT infrastructure for medical imaging•
Needed additional IT staff•
Wanted archive solution that was vendor neutral•
Wanted simple yet effective Disaster RecoveryAchievements
•
Decided to subscribe to Vue Cloud Archive Service in 2007•
Currently have over 25TB stored in Carestream Cloud•
Currently have approx 1,000,000 studies stored in Carestream Cloud•
All images stored are in a standard DICOM Vendor Neutral FormatLong Beach Memorial Medical Center, Long Beach CA
Back
30
p.31
© 2011, Carestream Health
Teleradiology Services
Customer Profile
•
1st Private Teleradiology Service Provider in France•
Delivering on call reading services toindependant hospitals, for emergency cases, outside business hours
•
Growing rapidly, and therefore need scalable and vendor-neutral infrastructure to connect its clients and radiologistsAchievements
•
Partnering with Actibase to deliver a teleradiology infrastructure as a service•
Grown from 1 hospital to currently 12connected to the service in 18 months, all being widely dispersed across France
•
Reading Center located in Lyon gets on-call studies automatically pushed from anycustomer locations
•
Planning to connect 3 additional hospitals in coming quarterImadis, France
http://www.imadis.fr/
31
p.32
© 2011, Carestream Health
Image Exchange Across A Community
Customer Profile
•
Multiple independent hospitals & privateimaging centers members of RHIO covering the Rochester County
•
Looking at exchanging patient history available from other institutions to reduce retakes and improve quality of careAchievements
•
Partnering with Axolotl and eHealth Global Technologies to deliver an image exchange infrastructure as a service•
8 Rochester healthcare institutions connected to the service– 35,000 studies collected every month – Hosted in CARESTREAM data center in
Rochester (Frontier)
– Meta-data consolidated and images kept on-line for 2 months
– Radiology studies available on-demand from any institution
Rochester RHIO, New York, US
Back http://www.grrhio.org/
32
p.33
© 2011, Carestream Health
National Diagnostic Services
Customer Profile
•
39 hospitals across 16 health boards with legacy IT environment•
3 millions studies per year, approx 120 TB•
8,000 users across 2,000 wards•
Limited IT skilled within NSSAchievements
•
Private cloud with PACS/RIS/Archive (4 yrs)•
2 fully redundant data centers with hot fail-over integrated to National EMPI•
Priors automatically pulled out of the national patient imaging record•
Radiology from multiple hospitals acting as a single department
Achievements
•
Partnering with Actibase to deliver a teleradiology infrastructure as a service•
Grown from 1 hospital to currently 12connected to the service in 18 months, all being widely dispersed across France
•
Reading Center located in Lyon gets on-call studies automatically pushed from anycustomer locations
•
Planning to connect 3 additional hospitals in coming quarterNational Radiology System, Scotland
33
© 2011, Carestream Health
Benefits of Vue Cloud Services
PERFORMANCE
Your contract defines all the services we will provide, including availability, performance, data restitution and regular reports on usage and activity
SCALABILITY
Add and remove data, users, sites, and tools freely as your workload ebbs and flows – without giving up any functionality
PREDICTABILITY
Predictable total cost of ownership –
eliminate unexpected costs from outdated internal support systems
RELIABILITY
24x7x365 proactive monitoring and remote support to provide guaranteed uptime on standardized tested platform
SECURITY
Increased quality and security – leave IT to an expert team and redirect your time, money and resources toward core competencies
CONTROL
Carestream follows the precise directions of your designated internal expert – and you always own your data
34
Vue Cloud Community
Connect + Collaborate
Imaging Center Town Hospital
University Hospital
Radiologist
Referring Physician Expert
Rural Clinic Shared Data
Shared Workflow
Teleradiology
Share Expertise
Consultation
35
Cloud Delivers Integrated Diagnostics at the Point of Care
36
p.37
© 2011, Carestream Health
Patient Portal Search Screen
37
p.38
© 2011, Carestream Health
38
p.39
© 2011, Carestream Health
39
Coming soon: MyVue, a Portal for Patients
Patient
completes exam
Patient receives email from hospital staff
Checks out with
Imaging Admin
Patient shares results with
specialists
Logs on with info from email
Patient owns his imaging record, shares on-demand
when needed
Continues with own
treatment/care
• Consent Management
• Security / Sharing protocols
• Unlimited expansion
• EHR Patient Portal Services
Hospital Ownership:
40
p.41
© 2011, Carestream Health
41
p.42
© 2011, Carestream Health
42
p.43
© 2011, Carestream Health
43
p.44
© 2011, Carestream Health
44
p.45
© 2011, Carestream Health
45
p.46
© 2011, Carestream Health
46
p.47
© 2011, Carestream Health
47
p.48
© 2011, Carestream Health
48
p.49
© 2011, Carestream Health
More on www.carestream.com/cloud
49
Summary
• Overcome scarcity by
leveraging expertise and capacity in the cloud
• Focus on innovation, rely on the ecosystem for services outside your core competency
• Adopt standards and best practices
leveraging worldwide models
50
Additional Sources of Information:
51
• Intel
®Cloud Builders
• Open Data Center Alliance (ODCA)
• Cloud Security Alliance (CSA)
• European Network and Information Security Agency (ENISA)
• Healthcare Blogs – Intel
®Healthcare IT Professionals
• Whitepapers
– CARESTREAM* Increasing the Scalability of Medical Imaging Solutions – Secure Healthcare Cloud (TXT whitepaper)
– VMware* and Intel® 10GbE Best Practices – Securing the Enterprise with Intel® AES-NI
– Enhanced Cloud Security with HyTrust* & VMware* – Taking Control of the Cloud for your Enterprise
– Unified Networking with Cisco* Virtualized Multi-Tenant Data Center*
• Videos
– Cloud Security: Built from the Ground Up – Trusted Execution Technology
– Virtualization Demo/Animation
– CARESTREAM* SuperPACS™ architecture at Clalit Health Services
• Intel® Virtualization Technology (Intel® VT) – Provides flexibility and maximum system utilization by consolidating multiple environments into a single server, workstation, or PC
• Intel® vPro™ Technology – Designed specifically for the needs of business, notebooks and desktops with Intel® vPro™ technology have security and manageability built right into the chip
• Intel® Trusted Execution Technology (Intel® TXT) – Protect confidentiality and integrity of business data against software-based attacks.
• Intel® Anti-Theft Technology (Intel® AT) – Providing the option to activate hardware-based client- side intelligence to secure the PC and its data in the event the notebook is lost or stolen
• Intel® AES New Instructions (Intel® AES-NI) – The Advanced Encryption Standard (AES)
algorithm is now widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructures
• Intel® Identity Protection Technology (Intel® IPT) – Two-factor authentication directly into the processors of select 2nd generation Intel® Core™ processor-based PCs
• Intel® Cloud Access 360 – Protection Enterprise Access to Cloud and Protecting Enterprise Applications in the Cloud
• Intel® Expressway Service Gateway – High performance security, xml acceleration and routing.
Cross-domain service mediation, threat prevention, policy enforcement. Interoperable ESB gateway
• McAfee Cloud Security Platform* – Consistent security policies, reporting, and threat intelligence across all cloud traffic—now available from a single platform
• Intel® Scale-out Storage – Tackle your data center’s challenges with enterprise storage solutions powered by the world’s most advanced multi-core architecture
• Intel® Solid State Drives – High performance, Self-Encrypting Solid State Drives for protecting sensitive data at rest
• Intel Unified Networking – Unified Networking enables cost-effective connectivity to the LAN and the SAN on the same Ethernet fabric
Intel Technologies
52