Carestream Health

From Theory to Reality: Building a Secure Cloud Environment for Diagnostic Imaging

Kristina Kermanshahche Chief Architect, Healthcare Intel Corporation February 2012 Patrick Koch

Business Director, WW

Vue Cloud Services

Carestream Health

Agenda

• Intel Secure Healthcare Cloud:

• Healthcare & Cloud Computing Trends

• Core Requirements & Design Considerations

• Strategy for Adoption

• Technology-Differentiated Services

• Carestream Cloud-Based Diagnostic Imaging:

• Challenges & Benefits

• Industry proof points and usage models

• Architecture & Infrastructure

• Demo

2

Healthcare &

Cloud Computing Trends

3

Evolution of the Datacenter

Cloud

Infrastructure

Network Storage Compute Security

Datacenter facilities (e.g. cooling, power)

Compute Storage Network Management

Unified Network

Servers Storage Arrays Mgmt

VM VM VM VM

Discrete Datacenter

Virtualized Datacenter

Cloud Datacenter

Efficient and Secure Open Architecture Flexible Network Flexible Management

10G Unified Network Consolidation

Discrete networks

4

• Enormous economies of scale

• Efficiencies in size; buying power, infrastructure, power consumption

• Unparalleled resource utilization Efficiency

Agility

Availability Services

• Improve provisioning time from days to hours

• Automate workflows to enable consistency, agility and elasticity

• Pay for the resources you actually use

• Deliver high availability for all workloads, regardless of location

• Protect IP, data and differentiated business processes

• Provide secure, broad network access on authenticated devices

• On demand, self-service portal to streamline business processes

• Establish measured services for VM utilization, health and usage

• Apply actual application consumption for IT capacity management

High-Level IT Strategies and Goals Business

Benefits

Healthcare Utility &

Value-Add Services

• Address scarcity by effective allocation of resources & expertise

• Leverageecosystem for non-core competencies, achieve economies of scale

• Accelerate standards adoption through lower barriers to entry

• Build the network value modelof exchange

Cloud Computing Business Drivers

5

The Rise of Healthcare “Big Data”

6

• Diagnostic Imaging

– Average hospital requires 175TB for images & clinical records.

Consumes additional 15 TB annually

¹

. Data archive for 20+ years.

– In 2006, primary copy storage for all U.S. imaging = 24 Petabytes (assumes no duplication for RAID, archive, disaster recovery)

²

– By 2014, US primary copy storage expected to reach 100 Petabytes

²

• Genomic Data

– The Human Genome consists of 3 billion base pairs, unannotated, requires 3 Gb of storage uncompressed

³

– In 2007, Baylor College of Medicine required 125 TB, with projected 25-fold increase in storage over the following two year period

⁴

– Digital data projected to reach 35 Zettabytes by 2020, a 44-fold increase from 2009 5

1 John Halamka, CIO, Beth Israel Deaconess, http://geekdoctor.blogspot.com/. ² “Prepare for Disasters and Tackle Terrabytes When Evaluating Medical Imaging Archiving,” ^©2008 Frost & Sullivan. ³ Human Genome Project FAQs, http://www.ornl.gov/sci/techresources/Human_Genome/faq/faqs1.shtml. ⁴ Baylor College of Medicine, Human Genome Sequencing Center, http://www.cwhonors.org/viewCaseStudy.asp?NominationID=340. ⁵ IDC Digital Universe Study, sponsored by EMC, May 2010

Core Requirements &

Design Considerations

7

Neurosurgeon views imaging studies, latest lab results;

consults with Radiologist, Specialists

Specialists agree on treatment plan with Neurosurgeon

& Radiologist Patient arrives

at ER with complications from brain tumor

Radiologist analyzes current MRI, compares with prior

imaging study from remote hospital

ICU nurses view imaging studies,

update chart with patient vital signs, status

Cloud Vendor Neutral Archive

Care Coordination Use Case

Smart Phone

Shared Workstation

Laptop

Operating Room Radiology

Emergency Room

Client-Aware Cloud Trust Broker

Intensive Care Neurology

1 2 3 4 5

8

Barriers to Healthcare Cloud Adoption

• Data protection and regulatory compliance require data transparency

• May prevent PHI from being hosted in another country

• May restrict or prohibit trans-border flow of information

• Onsite data centre audits may be impractical for cloud providers

• SAS 70 Type II/SSAE16 certification, ISO/IEC 27001

• EU Directive 95/46/EC or HIPAA-compliant cloud providers

• Service-model dependent

• Provisioning & automation software built against proprietary APIs

• Cost of entry may be low, cost of exit may be high

High-Level IT Areas of Concern Business Concerns

• Must protect sensitive information at rest and in transit

• Costs associated with data breach are rising

• Cloud services and virtualization break traditional perimeter- oriented security techniques

Vendor Lock-in Auditability &

Compliance Data

Transparency Security &

Privacy

9

General Deployment Considerations

Availability

– Service Level Agreements, Recovery Time Objective (RTO), Recovery Point Objective (RPO) – Application Architecture, Fault Tolerance, Network Design

– Business Continuity / Disaster Recovery plans

Network Design

– Network dependency / carrier diversity

– Suitable, geographically-dispersed, failover data centers

Performance

– Workload peak/min sizes & variability, network bandwidth, performance constraints – Monitoring, Notifications & Alerts

– Start-up costs (cloud on-boarding) & risks of vendor lock-in

Regulatory

– Data Protection Regulations & Locale Constraints – Data Loss Prevention, Breach Notification

– Independent Attestation

Security

– Defense-in-depth, boundary controller, secure perimeter requirements

– Multi-tenancy risks & benefits, application security, end-to-end security model – Isolation vs. efficiency (security vs. cost tradeoff)

– Administrative, Physical and Technical Controls

Governance

– Availability of IT expertise, Training & Employee Policy – Security & Privacy policies, governance

– Risk Assessment & Mitigation

10

Secure

Healthcare Cloud:

Strategy for Adoption

11

What is Secure Healthcare Cloud?

• Strategy for adoption with phased implementation

• Best practices, standards and technologies

• Design principles, deployment considerations, and governance models

• Worldwide program, key learnings, virtualization labs

• Industry alliances including:

– Intel

^®

Cloud Builders

– Open Data Center Alliance (ODCA)

– European Network & Information Security Agency (ENISA) – Cloud Security Alliance (CSA)

• Comprehensive set of latest security technologies &

solutions covering end-to-end cloud deployment models

• Robust set of ecosystem partners to deliver complete solutions

12

Secure Healthcare Cloud

Defining Characteristics

Highly Available

– Designed for failure, mitigate risk of data loss, minimize potential for business disruption, tiered service levels, mutually contracted SLAs

– Geo-dispersed data centers, redundant and diverse network carriers – Failover/load balancing, stress testing for scalability and performance

Highly Secure

– End-to-end security design, assess the risk profile of backend systems, the network, identity assurance levels, and potential endpoint devices

– Multi-Tenancy by design. Designed for breach and other failures, establishing a multi- layer and defense-in-depth approach

– Physical, technical and administrative controls including application security and

identity management, encryption at rest and in transit, provisioning, and backup, loss recovery, and secure destruction

– Compliance with international regulations on safe handling of protected information

Highly Transparent

– Data federation services which isolate, secure, enforce sensitive workloads, as well as establish evidence of consistent management practices

– Independent attestation of security profile of underlying hosting environment, evidence of consistent policy and security enforcement

– Compliance with international audit standards

13

Adopting Secure Healthcare Cloud

Current

Private Networks

Build/Grow Network of Private Clouds

External: Internet Business

Core

Utility

•Identity Service

•Controlled Terminology Service

•Clinical Data Repository

•Transformation &

Normalization

SaaS

•Scheduling/Triage

•EHR

•Care Coordination

•ePrescribing

•ePathology

•Life Sciences – private / academic Legacy Environments

Internal Clients

External Clients

Utility

Interim

Private + Limited Public Cloud Federated Query/Identity

External: Internet

Utility

•Service Directory

•Record Locator

•Trust Fabric with trading partners

•EHR Portals

•Orchestration

•Mediation

SaaS

•Claims Processing, Adjudication

•Disease Registries

•Knowledge Base

•Public Health

•Diagnostic Imaging

•Quality Reporting Legacy Environments

Internal Clients

External Clients Trading

Networks Utility + Service

Future

External: Internet

Ubiquitous Hybrid Health Cloud

Utility

•Master Consent &

Authorization

•Broad

Deployment Trust Fabric

SaaS

•Clinical Decision Support

•Disease Mgmt

•Secondary Use

•Clinical Trials

•Translational Medicine Network Effect Drives Innovation

Legacy Environments

Internal Clients

External Clients

Value-Add Data Services Trading

Networks

Overcome scarcity by leveraging expertise and capacity in the cloud

14

Technology-Differentiated Services

15

16

* Other names and brands may be claimed as the property of others. Copyright © 2009, Intel Corporation.

Architect for the Cloud Today

Efficient

World class energy

efficiency

Open

Multi-vendor innovation with compatibility of

solutions

Secure

Data protected at rest and in transit

Simplified

Flexible IA infrastructure and unified networking

Driving Technology Leadership to Enable the Cloud

Refresh with Intel® Xeon®

5600 and Node Manager

Deploy interoperable solutions and support

standards Intel Trusted Execution

and Virtualization Technologies

Intel® Xeon® for servers &

storage Deploy 10GbE

Healthcare Big Data Moves to the Cloud

10TBs of Diagnostic Images for one type of test

No encryption No data protection No Federation

Forklift for capacity

Compression 50% savings¹ Erasure code 29% savings¹ Deduplication capabilities savings up to 70%¹

The cloud provides cost efficient capacity scaling

data upload

data store

encryption algorithm

dedupe algorithm compression

algorithm

Intel^® Xeon^® Enables:

Dynamically Available Capacity- scale to the cloud

Added Data Protection &

Sophisticated Capabilities Federated Data Access Across Medical Networks

erasure coding algorithm

Efficiency & Scalability

79% Disk Savings

¹

Medical Imaging

1 Intel calculations based on industry numbers for compression & erasure code

17

Ubiquitous Data Protection with Intel ® AES New Instructions

Secure transactions used pervasively in e-commerce, banking, etc.

1

Full disk encryption software

protects data automatically during saving to disk

2

Most enterprise applications offer options to use encryption to

secure information

3

Internet

Intranet

Secure transactions on Internet and Intranet

Full-disk encryption protects data on hard disks

Application-level encryption for automation and granularity

Name: J.Doe SS# ζ…χ∀∃

2 1

3

Allows broader use of encryption for better protection of sensitive health information

18

Carestream Cloud-Based Diagnostic Imaging

19

(Some of) CIO’s issues with their imaging IT

• Ensure Availability of Patient Data over a Lifetime

• Manage Unpredictable TCO with Unexpected CAPEX

• Enable Physicians Collaboration across Sites & Systems

20

How Do You Care For Your Data ?

© 2011, Carestream Health

• Is Your Infrastructure capable of hosting your data securely on-premises?

(power redundancy, air/con, security, fire detection & extinction, etc)

• Is Your IT Team adequately skilled and staffed to adapt to ever changing retention and security requirements ?

• Is Your Architecture protected against technology

obsolescence across the lifetime of data ?

(software, servers, storage, etc)

21

Does Your PACS [Archive]

Cost You Too Much ?

• Continuous expansion of storage capacities to absorb the exploding production of imaging data

• Upfront capital investment in capacities which stay unused and idle during most of their lifetime

• Unpredictable Total Cost of Ownership over the lifetime of data

(Investment, Maintenance, Expansion, Migration, Replacement)

22

Are Your Physicians Able to Share & Collaborate ?

• Ever frequent demand to get faster results on-site or on-the-go

• Integrate radiology workflow between disparate legacy imaging systems across multiple distant locations.

• Simple single-point of access to patient’s imaging record across the continuum of care for the community

23

© 2011, Carestream Health

Vue Cloud

Now Introducing…

LIBERATING TECHNOLOGY.

24

p.25

© 2011, Carestream Health

A New Delivery Model for Software

Cloud-based Services

Ownership Usage

Do-it-Yourself Service Level

Agreement

Cloud-based Access Point-to-Point

Access

25

A Portfolio of Innovative Cloud Services

Vue Cloud

by Carestream Collaboration-as-a-Service

Teleradiology-as-a-Service

Cloud Portal

PACS -as-a-Service

Archive-as-a-Service

Regional Hospital

Physician’s Office Reading Center

Rural Clinic

University Hospital

26

No change Vendor Neutral Infrastructure

Hospital

Physician’s Office

Carestream’s Responsibility Customer’s Responsibility

Service Boundary

Virtual Private Network (VPN)

Cloud Portal

Carestream Service Access

Point (local cache adapted

to needs)

Remote monitoring 24 X 7

Vue Cloud Platform Operated by Carestream

In a Tier -3 Data Center

• Active Archive

• Disaster Recovery

• Unlimited retention

Vue Cloud

By Carestream DICOM

[PACS, modalities]

Local Access (LAN)

HL7 [RIS, HIS]

IHE XDS-i [ECG, jpg, mpg

pdf]

Remote Secure Access

27

No change Vendor Neutral Infrastructure

Hospital

Carestream’s Responsibility Customer’s Responsibility

Service Boundary

Virtual Private Network (VPN)

Cloud Portal

Service Access Point (local cache adapted

to needs)

Remote monitoring 24 X 7

Vue Cloud Platform Operated by Carestream

In a Tier -3 Data Center DICOM

[PACS, modalities]

Local Access (LAN)

HL7 [RIS, HIS]

IHE XDS-i [ECG, jpg, mpg

pdf]

Remote Secure Access

Behind the Cloud

Cloud Services Platform

Vue Cloud

By Carestream Application

Servers

User Mgt Statistic Reporting

Audit &

Security

Proactive Monitoring

Database Servers Primary

copy

Disaster Recovery copy DMZ

28

Tufts Medical Center, Boston Long Beach Memorial, CA CHR Orleans, France Nij Smellighen, Netherlands Schwarzer Baer, Hannover CMS Tokyo Group

Vue Cloud

A Proven Global Platform

29

p.30

© 2011, Carestream Health

Community Hospital Going Cloud Archive

Customer Profile

•

Busy 200 bed community Hospital

•

Doing over 200,000 Diagnostic Radiology Studies per year

•

Needed increased IT infrastructure for medical imaging

•

Needed additional IT staff

•

Wanted archive solution that was vendor neutral

•

Wanted simple yet effective Disaster Recovery

Achievements

•

Decided to subscribe to Vue Cloud Archive Service in 2007

•

Currently have over 25TB stored in Carestream Cloud

•

Currently have approx 1,000,000 studies stored in Carestream Cloud

•

All images stored are in a standard DICOM Vendor Neutral Format

Long Beach Memorial Medical Center, Long Beach CA

Back

30

p.31

© 2011, Carestream Health

Teleradiology Services

Customer Profile

•

1st Private Teleradiology Service Provider in France

•

Delivering on call reading services to

independant hospitals, for emergency cases, outside business hours

•

Growing rapidly, and therefore need scalable and vendor-neutral infrastructure to connect its clients and radiologists

Achievements

•

Partnering with Actibase to deliver a teleradiology infrastructure as a service

•

Grown from 1 hospital to currently 12

connected to the service in 18 months, all being widely dispersed across France

•

Reading Center located in Lyon gets on-call studies automatically pushed from any

customer locations

•

Planning to connect 3 additional hospitals in coming quarter

Imadis, France

http://www.imadis.fr/

31

p.32

© 2011, Carestream Health

Image Exchange Across A Community

Customer Profile

•

Multiple independent hospitals & private

imaging centers members of RHIO covering the Rochester County

•

Looking at exchanging patient history available from other institutions to reduce retakes and improve quality of care

Achievements

•

Partnering with Axolotl and eHealth Global Technologies to deliver an image exchange infrastructure as a service

•

8 Rochester healthcare institutions connected to the service

– 35,000 studies collected every month – Hosted in CARESTREAM data center in

Rochester (Frontier)

– Meta-data consolidated and images kept on-line for 2 months

– Radiology studies available on-demand from any institution

Rochester RHIO, New York, US

Back http://www.grrhio.org/

32

p.33

© 2011, Carestream Health

National Diagnostic Services

Customer Profile

•

39 hospitals across 16 health boards with legacy IT environment

•

3 millions studies per year, approx 120 TB

•

8,000 users across 2,000 wards

•

Limited IT skilled within NSS

Achievements

•

Private cloud with PACS/RIS/Archive (4 yrs)

•

2 fully redundant data centers with hot fail-over integrated to National EMPI

•

Priors automatically pulled out of the national patient imaging record

•

Radiology from multiple hospitals acting as a single department

Achievements

•

Partnering with Actibase to deliver a teleradiology infrastructure as a service

•

Grown from 1 hospital to currently 12

connected to the service in 18 months, all being widely dispersed across France

•

Reading Center located in Lyon gets on-call studies automatically pushed from any

customer locations

•

Planning to connect 3 additional hospitals in coming quarter

National Radiology System, Scotland

33

© 2011, Carestream Health

Benefits of Vue Cloud Services

PERFORMANCE

Your contract defines all the services we will provide, including availability, performance, data restitution and regular reports on usage and activity

SCALABILITY

Add and remove data, users, sites, and tools freely as your workload ebbs and flows – without giving up any functionality

PREDICTABILITY

Predictable total cost of ownership –

eliminate unexpected costs from outdated internal support systems

RELIABILITY

24x7x365 proactive monitoring and remote support to provide guaranteed uptime on standardized tested platform

SECURITY

Increased quality and security – leave IT to an expert team and redirect your time, money and resources toward core competencies

CONTROL

Carestream follows the precise directions of your designated internal expert – and you always own your data

34

Vue Cloud Community

Connect + Collaborate

Imaging Center Town Hospital

University Hospital

Radiologist

Referring Physician Expert

Rural Clinic Shared Data

Shared Workflow

Teleradiology

Share Expertise

Consultation

35

Cloud Delivers Integrated Diagnostics at the Point of Care

36

p.37

© 2011, Carestream Health

Patient Portal Search Screen

37

p.38

© 2011, Carestream Health

38

p.39

© 2011, Carestream Health

39

Coming soon: MyVue, a Portal for Patients

Patient

completes exam

Patient receives email from hospital staff

Checks out with

Imaging Admin

Patient shares results with

specialists

Logs on with info from email

Patient owns his imaging record, shares on-demand

when needed

Continues with own

treatment/care

• Consent Management

• Security / Sharing protocols

• Unlimited expansion

• EHR Patient Portal Services

Hospital Ownership:

40

p.41

© 2011, Carestream Health

41

p.42

© 2011, Carestream Health

42

p.43

© 2011, Carestream Health

43

p.44

© 2011, Carestream Health

44

p.45

© 2011, Carestream Health

45

p.46

© 2011, Carestream Health

46

p.47

© 2011, Carestream Health

47

p.48

© 2011, Carestream Health

48

p.49

© 2011, Carestream Health

More on www.carestream.com/cloud

49

Summary

• Overcome scarcity by

leveraging expertise and capacity in the cloud

• Focus on innovation, rely on the ecosystem for services outside your core competency

• Adopt standards and best practices

leveraging worldwide models

50

Additional Sources of Information:

51

• Intel

^®

Cloud Builders

• Open Data Center Alliance (ODCA)

• Cloud Security Alliance (CSA)

• European Network and Information Security Agency (ENISA)

• Healthcare Blogs – Intel

^®

Healthcare IT Professionals

• Whitepapers

– CARESTREAM^* Increasing the Scalability of Medical Imaging Solutions – Secure Healthcare Cloud (TXT whitepaper)

– VMware^* and Intel^® 10GbE Best Practices – Securing the Enterprise with Intel^® AES-NI

– Enhanced Cloud Security with HyTrust^* & VMware^* – Taking Control of the Cloud for your Enterprise

– Unified Networking with Cisco^* Virtualized Multi-Tenant Data Center^*

• Videos

– Cloud Security: Built from the Ground Up – Trusted Execution Technology

– Virtualization Demo/Animation

– CARESTREAM^* SuperPACS^™ architecture at Clalit Health Services

• Intel^® Virtualization Technology (Intel^® VT) – Provides flexibility and maximum system utilization by consolidating multiple environments into a single server, workstation, or PC

• Intel^® vPro™ Technology – Designed specifically for the needs of business, notebooks and desktops with Intel^® vPro™ technology have security and manageability built right into the chip

• Intel^® Trusted Execution Technology (Intel^® TXT) – Protect confidentiality and integrity of business data against software-based attacks.

• Intel^® Anti-Theft Technology (Intel^® AT) – Providing the option to activate hardware-based client- side intelligence to secure the PC and its data in the event the notebook is lost or stolen

• Intel^® AES New Instructions (Intel^® AES-NI) – The Advanced Encryption Standard (AES)

algorithm is now widely used across the software ecosystem to protect network traffic, personal data, and corporate IT infrastructures

• Intel^® Identity Protection Technology (Intel^® IPT) – Two-factor authentication directly into the processors of select 2nd generation Intel^® Core™ processor-based PCs

• Intel^® Cloud Access 360 – Protection Enterprise Access to Cloud and Protecting Enterprise Applications in the Cloud

• Intel^® Expressway Service Gateway – High performance security, xml acceleration and routing.

Cross-domain service mediation, threat prevention, policy enforcement. Interoperable ESB gateway

• McAfee Cloud Security Platform^* – Consistent security policies, reporting, and threat intelligence across all cloud traffic—now available from a single platform

• Intel^® Scale-out Storage – Tackle your data center’s challenges with enterprise storage solutions powered by the world’s most advanced multi-core architecture

• Intel^® Solid State Drives – High performance, Self-Encrypting Solid State Drives for protecting sensitive data at rest

• Intel Unified Networking – Unified Networking enables cost-effective connectivity to the LAN and the SAN on the same Ethernet fabric

Intel Technologies

52