Cloud Computing Roundtable
Experts delve into the multifaceted nature of cloud-based software systems, offering insight for existing users and key considerations when transition is on the horizon.
A Rehab Management roundtable panel, comprised of industry insiders in the practice-management software arena, recently shared their insight and expertise regarding the existing benefits and considerations of cloud computing software, ranging from the financial due diligence required when adopting a cloud-based software system, its benefit to therapists working outside the clinic or in multiple locations, and how a clinic can maintain and secure data should their cloud-based software vendor go out of business.
Taking part in the discussion were: Nelson Aviles, PT, TherAssist Software; Eldad De-Medonsa, PhD, president of Billing Dynamix; Maria Ellingson, director of IT Communications, TheraBill; Ricky Gomez, director of Sales and Marketing, Planetrehab; Jerry Henderson, PT, vice president of Clinical Community and co-founder of Clinicient; Seth Hobgood, head of ReDoc Engineering, Net Health; Heidi Jannenga, PT, MPT, ATC/L, founder and COO, WebPT; Charles Lee, national director—sales and marketing, Raintree Systems Inc; Dan Morrill, PT, MPT, president of TheraOffice by Hands On Technology; Adam Nelson, co-founder of Hability; Amy Orr, vice president of Sales, ClinicSource; Steve Presement, president, Practice Perfect EMR + Management Software; Karthik Rao, product specialist, PT Practice Pro; Kevin Smith, CIO, Optima Healthcare Solutions; Devin Soelberg, EVP of Operations, OptimisCorp; and Sharif Zeid, Business Director, MWTherapy by MerlinWave Inc.
Rehab Management (RM): Describe the ease of use reported by therapists and office staff who use cloud computing systems, compared to server-based systems.
Nelson Aviles: Probably the thing that makes it the easiest for therapists and staff is what they don’t notice, and that is the fact that it takes so little to set up and get going. The end users can easily set it up to access their data from multiple devices, different platforms and places.
Eldad De-Medonsa: The newcomers to the cloud-based world are amazed by: 1. Better access: They suddenly get anywhere, anytime access; 2. Fewer headaches: They do not have to care about backups, installing new releases and the like; 3. Business continuity: Even if the physical clinic was completely destroyed by a superstorm—the data is on and running without interruption; 4. Scalability: When you grow your practice from one to 10 PTs —all you have to do is get more data entry stations and not worry about the rest.
Maria Ellingson: Web technologies have advanced to the point where a web (or cloud) application can behave much like a server-based system. When these technologies are used correctly in the software, the ease of use can pretty much be the same. These days people are spending more and more time on the Web. Because of this, people are becoming more comfortable on the Web and therefore Web-based applications are a natural progression. As this trend grows, fewer people will feel comfortable in a server-based system.
Ricky Gomez: There should be no difference in ease of use between cloud-based software and server-based software. A cloud-based system does offer more mobility, but our users don’t have to choose between cloud-based and installed software because, in our system, they can be used together. So the user can use the installed version in their office and use the cloud version when they need to access their software remotely.
Jerry Henderson: Although there are many advantages to cloud-based systems, there is no inherent difference in ease of use between cloud-based and server-based systems. The user should not even be able to tell if they are operating a cloud-based system over the Internet or a server-based system over a local area network.
Seth Hobgood: One area that makes the utility of a cloud system easier involves updates/upgrades. Regulatory updates are available immediately without users needing to monitor deadlines and coordinate IT availability to download the upgrade. Code enhancements are immediate, but timed during regular maintenance routines that are scheduled to ensure convenient deployment for our customers.
Heidi Jannenga: One of the most common misconceptions about any EMR is that the learning curve is too steep to overcome—especially for therapists who do not consider themselves particularly tech-savvy. The great thing about cloud-based EMRs is that they are designed to roll out constant updates to improve the user experience. Server-based systems, on the other hand, do not perform updates as frequently because such improvements often require time-consuming software installation. With Web-based EMRs, compliance updates can occur automatically.
Charles Lee: Our system’s application is a “thin client,” therefore, the performance is at a very high level whether it is a “client server or Saas/ASP.”
Dan Morrill: “Convenience” is the word we hear the most; however, we still think that on-site servers will continue to have their place in the healthcare market. Ease of use by our definition is not about the deployment technology, but more about the user experience. If a user does not have to worry about security and backups, has access where they need access, and can successfully grow the business with a unified platform, then we have done our jobs. The overall solution is what should be important to clinics. Unfortunately, the healthcare reformers forgot to call us and ask us our opinions as therapists about reform, so we are faced with an increased administrative burden, decreased reimbursement, and margins that are razor thin.
Adam Nelson: There are three major benefits to cloud-based software systems—installation, updates, and accessibility. Our system, for example, is a purely cloud-based software system, so there’s no need to install anything on an office computer, updates to the software happen automatically, and therapists and office staff can access it from any computer, including their home laptops or mobile phones.
Amy Orr: We have seen cloud-computing move from a somewhat feared technology to an accepted and proven technology. The idea of having a server on premises requiring skilled IT staff, worrying about backups, security, office connectivity, etc can be overwhelming for many practice owners. By leveraging cloud-based systems, practice owners can avoid these hassles. Therapists find that it is very easy to use as they can access their program from anywhere and anytime using their desktop computers and/or iPads.
Steven Presement: The pros: access from any web-enabled device. The cons: speed—report retrieval is generally much slower when the software exists only in the cloud.
Karthik Rao: There are many factors that contribute to ease-of-use, but cloud versus server is not one of them anymore. Modern Web technology allows all the same UI accessibility as its desktop counterparts. There is also a distinction between cloud systems that allow access through Web browsers (true Web-based) and desktop applications that simply connect to cloud (pseudo Web-based). True Web-based software will generally work on any device (PC, Mac, mobile) whereas pseudo Web-based will still be restricted to certain operating systems and devices.
Kevin Smith: Using a cloud-based solution allows the therapist to choose the type of device that is best suited for the task at hand, which increases efficiency and guarantees a level of freedom difficult to achieve with a server-based system.
Devin Soelberg: The ease of use of any software solution is based more on the design, workflow, and support rather than the platform (cloud vs server). However, cloud-based solutions tend to be much simpler to begin using because they don’t require as much new IT infrastructure. This makes cloud-based solutions much more efficient for large companies and much more accessible to small businesses and entrepreneurial start-ups.
Sharif Zeid: Cloud systems have many features that can benefit a clinic from day 1: a) the ability to shed servers, IT expenses, and hassling with night and weekend updates and backups, b) the ability to work anywhere/anytime including any clinic location, from home, and on the go, c) the ability to work on virtually any device from desktop, to laptop to tablet, and d) Eliminate tying user accounts to certain computers.
RM: How secure is the data housed in cloud-based computing systems? What measures are manufacturers taking to assure that data remains secure?
Aviles: With our system, data is stored and managed in a professional data center. Your information is managed in a server farm with complete redundancies and off-site data backups in case of disaster. Clinics still have a responsibility relating to HIPAA to keep their screens secure and password secure.
De-Medonsa: Overall, the security of a cloud-based system is better than a server-based system. There are three major components to the security: 1. The clinic side—have a safe password, and set up two-factor authentication. 2. Data servers—The data centers are staffed and guarded 24×7, physically secured using biometric and facial recognition software. The network is secured using multiple firewalls, SSH encryption, and public/private key authentication. 3. Communication—we use 256-bit “military grade” SSL in all data transfer between the client and server.
Ellingson: Gaining physical access to a server is the number one penetration method that may result in data being compromised. If you, as a therapist, decide to use server-based software, then you must realize the responsibilities that you are taking on to keep your data secure. Cloud-based software, when done correctly, stores data in secure data centers that are guarded and monitored around the clock by trained professionals. As long as the information is being stored in a secure data center and encryption techniques are forced on information transferring from your computer and the server, it is about as secure as it can get.
Gomez: Installed software generally offers more security and dependability than cloud-based software. When using cloud-based services, users have little to no control over the security of their data. But all cloud-based software users should expect that their data is being transmitted and stored securely. Credible software providers will provide a safe means of transmitting data via the Internet and provide a secure environment to store the data and will happily explain their process when asked.
Henderson: The data is very secure in either architecture if the system is being managed by a professional IT organization with the proper infrastructure. A cloud-based system should be in a state of the art data warehouse with redundant real-time, geographically dispersed backups.
Hobgood: The data housed in the cloud lives in a secure data center that meets industry standard best practices for security, including multiple layers of intricate physical and electronic security measures. Hosting centers are constantly monitoring regulatory changes and updating security measures where needed. Clinics only have to observe basic security protocols such as password-sharing when using a cloud system.
Jannenga: Cloud-based EMR systems use data centers to house all their—and thus, your—data. To ensure HIPAA compliance, these data centers must possess bank-level security and supreme encryption methods that render data unreadable—even if hackers somehow get to it. Our system stores all of its data at a Tier III-Certified facility that provides multiple layers of access control, including a defensible perimeter, video surveillance, biometric screening, and round-the-clock security guards.
Lee: Our system’s data center is a SOC l, 2, and 3 audited facility (top level secured facility). It is also SSAE-16 compliant. Clinics have a role in keeping data secure by keeping their devices (laptops or computers) timed off if they are not using the application.
Morrill: The scary answer is that it various tremendously by the company. Network infrastructure is very expensive and shortcuts to security can create a false sense of security for clinics. Monitoring traffic for specific threats, while using advanced available and proprietary technology to make sure that only clients with security credentials have access, is step one. I always tell clinics that just because you are in the cloud, doesn’t mean that you have a scapegoat when it comes to security. Clinic owners and administrators need to understand everyone with access has the potential to be a security threat whether intentional or unintentional.
Nelson: The security of any computer program depends on the program itself, but any viable cloud software for physical therapy will protect patient information. Clinics have a responsibility to be familiar with the security policies of the software they use, and to choose those with a combination of ease-of-use and security they are willing to stand behind.
Orr: Our data centers reside in a hardened, fault tolerant facility meeting SSAE 16 and HIPAA/HITECH standards. Your data transmitted between your clinic and the cloud is secured via SSL.
Presement: There are actually many concerns here. The data is only as secure as the last scare. For example, until the Heartbleed virus became public knowledge, everyone believed their data to be secure. Then, all of a sudden, it wasn’t. We don’t know what’s coming, we can’t prepare for the unknown, breaches will definitely be on the rise, and ultimately the end user is responsible for the HIPAA fines.
Rao: Data housed in the cloud is perfectly secure as long as clinics educate employees on necessary practices regarding password sharing and security. It is no different than protecting your online banking credentials, don’t share your password with other users! Sharing a user-login between multiple employees is also a risky process—many systems will have audit trails for a practice’s security, but sharing user accounts diminishes the effectiveness of this data when something goes wrong and you need to know the “who” and “why.”
Smith: Data contained within a cloud-based solution can be very secure. In fact, a cloud-based solution has the potential to maintain a higher level of security than an on-premise solution if the SAAS vendor has achieved a positive SOC2 report and received satisfactory scores in a HIPAA Risk Assessment (both of these should be conducted by certified and credentialed third-party auditing firms). SAAS vendors who maintain these qualifications are able to prove that they are reliant and have the proper safeguards in place to mitigate risk. It also gives the user peace of mind by demonstrating the vendor’s commitment to security and investing wisely in future technologies.
Soelberg: In most cases, data in cloud-based systems is even more secure than in server-based systems. With server-based systems, the server is typically located in the same office as the clinic that often isn’t capable of providing the same level of security and redundancy. By centralizing the software in the cloud, we offer users centralized oversight/protection against data breaches, virus attack, and other threats. With both server and cloud-based systems, it’s important to note that most data breaches occur when information is downloaded to an unencrypted laptop or storage device that then gets lost/stolen/otherwise compromised. Practices need to encrypt any device that has downloaded PHI regardless of their system.
Zeid: Security and compliance are always evolving. That being said, cloud-based services are typically hosted in very secure enterprise-grade data centers that feature multiple layers of digital and physical security, not to mention redundancy and fire suppression. Clinics also need to do their part by securing passwords, protecting any printed records, and having HIPAA compliance policies in effect.
RM: How can cloud computing benefit clinics that have therapists who work outside of the clinic, or practices that have clinics in multiple locations?
Aviles: All the data they need to do their work follows them wherever they go; the chart is accessible in real time and data can be accessed from a variety of devices and operating systems.
Ellingson: Cloud-based applications store information in the cloud, making it readily available just by having an Internet connection. However, the software can be different in how it is run. Some software is installed on a computer, only using the Internet to access the information. This means you would have to install software on each computer that you will be using. Other software runs completely within the Web browser, that is, software is not physically installed on the computer. This type of software is much easier to use for therapists who work outside the clinic or for practices that have multiple locations, as the therapist only needs to have a computer with Internet access and a Web browser.
Gomez: This is where cloud computing shines. Not being tied to a server allows the user to access data from anywhere they have an Internet connection. However, our software was created to handle multiclinic companies and works the same regardless of the version the client is using (installed or cloud). Our clients can use both versions in unison.
Hobgood: Therapists working remotely or practices with multiple locations can use cloud systems to access patient data from anywhere and at anytime, which helps maintain current patient information.
Jannenga: Cloud-based systems offer the flexibility for users to document and access data anywhere, anytime, which means they can get things done regardless of whether they’re physically at the office. Plus, because there is nothing to download, therapists can access cloud-based systems on any Internet-enabled device. Speaking of devices, when shopping for an EMR, make sure you can access the system from any operating system, any mobile device, and any Web browser.
Lee: Most clinics will go to a cloud-based system if they have remote users and sites…this is an easy way to connect remote users without third party software by using TC-PIP. Our software runs as a thin client so it does not matter whether the practice has one clinic or 200 clinics…we can connect via TC-PIP in either “client server” or “cloud-based/ASP” model.
Morrill: Ease of access is probably the biggest benefit. Having Internet access to centralize data is the first step in allowing outside access to the data center. Cellular broadband has become a popular way to have mobile Internet access; however, coverage is still an issue in rural communities. We do not recommend public hotspots because it may increase the risk of privacy issues to the device, which could compromise login and password information. We always advise that access to data outside the clinic should be evaluated for risks versus benefits.
Nelson: This goes back to one of the major benefits of cloud software. Because cloud software is designed to be accessed via a Web browser, well-designed software will work on virtually any computer, in any browser, and on most mobile devices. Many cloud software systems have proprietary apps for mobile devices, while others are mobile-responsive Web applications, meaning they can be accessed and utilized on a mobile phone as well as a browser.
Orr: Since backup is centralized, practice owners have the capability to access their files remotely at any time.
Presement: Obviously, remote access is key to anyone requiring access when outside the home facility or in the case of multiple locations. But this does not have to be cloud-based. You can certainly have remote access to all of your information without relying on some other entity, totally beyond your control, actually housing your data. A clinic can easily host its own data and still have complete remote access.
Rao: Having a cloud-based system is especially important for practices with multiple locations. Data centers are designed with the necessary bandwidth to handle large volumes of connections whereas an on-site server will be limited by the bandwidth provided by local ISPs.
Smith: Most SAAS vendors offer user-friendly methods of accessing remote and mobile computer connectivity, giving therapists the ability to work outside the clinic or in multiple locations. It would most likely be cost prohibitive for the average business with an on-premise solution to implement and maintain equitable levels of connectivity with the flexibility to adapt as quickly as technology is changing.
Soelberg: A major advantage to cloud-based over server-based systems is the broad access that is possible when users aren’t connected at the office. As mobile devices become more advanced, therapists increasingly expect to be able to access their EHR from anywhere, which is much more possible via the cloud. This is especially true of rehab professionals who float to many locations and need to have a consistent and reliable connection to their patients regardless of location.
Zeid: Cloud-based systems immediately centralize all data, making connecting multiple clinic locations and working from home extraordinarily simple and easy. With a Web browser and Internet connection, therapists and staff can log in from anywhere, anytime, using any computer including mobile devices. From centralizing schedules to accessing documents anywhere, it simply doesn’t get any easier. As such, clinics can have access to all patients, scheduling, EMR, billing, and other records in all locations in one central management system.
RM: What can a clinic do to minimize the loss of productivity caused by an Internet service interruption? How are manufacturers helping solve this problem?
Aviles: We usually recommend clients have a backup strategy, an aircard, or some other means of accessing the Internet. For our part, we have redundancies throughout our service, from backup servers to SONET ring Internet service.
De-Medonsa: The best approach is to have Internet connection redundancy, either by having multiple communication channels from the same ISP (eg, cable, cellular, satellite), or by having multiple ISPs, or both—since Internet access is so crucial to us, we use the latter approach.
Ellingson: Printing out the day’s schedule in advance, having paper note templates available, or maybe even having a backup hotspot connection are some possible things you can do to prepare. While the pros of cloud-based software far outweigh the cons, the Internet connection requirement is the Achilles heel.
Gomez: For mission critical software, as software that is needed to run a clinic is, this is not a trivial matter. And the real issue is that the stability of an Internet connection is usually not in the hands of the clinic owner/operator. Connectivity and up-time are determined by the Internet service provider. Of course, the clinic owner/operator can have a backup connectivity option, but that incurs a cost.
Henderson: It is important to have backup Internet access in case your main connection to the Internet goes down, and this is easily done over cellular networks. We also recommend having a printed copy of critical documents, such as the schedule and patient telephone numbers handy.
Hobgood: Being prepared to mitigate loss of productivity during downtime or outage is critical. It’s best to define a manual downtime policy during implementation of the system that includes local paper or electronic forms and a clear process on entering data into the EHR after recovering from an outage.
Jannenga: In the grand scheme of things, Internet outages happen infrequently. But if one does happen, many businesses have mobile hotspot devices to use as an Internet backup—and EMR vendors typically recommend having at least one backup Internet connection. And you needn’t worry about your patient information. Internet outages do not compromise Web-based EMR data.
Lee: Not much one can do if the Internet connection goes down; you typically have to note on paper and wait. Our system offers a “on-line” mode (additional fee) where the user can keep documenting the encounter and sync to server when the connection returns.
Morrill: Typically, the disruption comes from the Internet service providers and not the data centers. Because the data center is live, offices can simply route through other means, such as a cellular broadband in case of an emergency. We had a situation in which a clinic lost its Internet connection due to severe weather, so the office manager stayed home to help with scheduling and the therapist was able to catch up on notes once the service was restored.
Nelson: To minimize interruptions, software companies set up multiple servers in multiple locations around the globe, and automatically switch between servers if an interruption is detected. Most companies also have security procedures in place to prevent downtime due to hacking or a distributed denial of service (DDS) attack. At the clinic level, investing in a high-quality and high-speed Internet service provider will help prevent downtime due to a loss of connectivity.
Orr: Many smartphones offer instant Wi-Fi hotspot capability. In the event of a hardware network outage, a smartphone hotspot could be employed to fill the gap until network service was restored.
Presement: The only real solution here is to have redundant Internet access in place—so if your primary Internet connection is severed, then you would rely on the backup connection—maybe less expensive, slower, but temporary—until the primary is back up and running.
Rao: The best practice for minimizing loss of productivity is having a downtime plan in place. Critical functions of the clinic should have redundancies such as printing out or saving a hard copy of the schedule each morning. Vendors should provide these types of operational reports or printouts that can be generated and printed from even mobile data connections.
Smith: At the clinic level, incorporating multiple and varied ISP connections with manual or automated failover helps to decrease the chance of Internet service interruption. However, manufacturers can help solve this problem by creating mobile solutions so that mobile computers can be used in place of cellular services. We built offline functionality into our mobile solution, which allows for full patient documentation even when an Internet connection is not available.
Soelberg: There are definitely strategic steps to minimize risk of service interruption. Ensure you have an adequate Internet connection and check the reliability of that connection regularly with simple tests. Keep several mobile hotspots on hand to run critical functions (eg, scheduling) in the event of a local Internet interruption. We also recommend keeping documentation forms (paper charts, registration forms, etc) on hand in case the system is unavailable so patient throughput can continue.
Zeid: One option is to have a backup Internet connection such as a Wi-Fi hotspot or phone-based hotspot to stay connected. Such a hotspot would keep you connected for tasks such as scheduling until full connectivity can be restored. Clinics may consider having a complete second connection if available. RM