In April, software giant Microsoft made a lot of headlines announcing its multibillion-dollar acquisition of Nuance, the cloud-based clinical intelligence developer best known to healthcare providers for its Dragon and PowerScribe speech-recognition products.
Business analysts and reporters zeroed in on impressive financial details and utilization potential for “ambient AI” technologies in health settings. But more than anything, the deal shows how serious Microsoft is about its healthcare IT ambitions — and how central its Azure cloud service is to those goals.
Long before the acquisition news (or even the launch of Microsoft Cloud for Healthcare last year), Microsoft has been aggressively investing in making its Azure cloud computing service attractive to healthcare for hosting, building, testing, deploying, and managing applications and services. It’s worth noting that all Nuance’s leading speech-to-text healthcare products, designed to integrate nicely with electronic health record (EHR) systems, are software-as-a-service (SaaS) offerings built on Microsoft Azure.
The Cloud and Healthcare IT
In the age of digital transformation, the healthcare industry is leveraging the cloud for more than nifty EHR documentation services. Organizations need its flexibility to rapidly scale resources without big capital expenditures, build and host myriad applications, facilitate collaboration, generate clinical/operational insight, and deal with expanding volumes of health data. In the hyperconnected and data-deluged modern world, the cloud is really the only feasible option for computing and storage infrastructure moving forward in most industry sectors — and that includes healthcare. Microsoft knows this.
But cloud utilization in healthcare comes with unique requirements — health data are sensitive, protected, and subject to distinct regulatory constraints. In the US, maintaining HIPAA and ONC Cures Act Final Rule compliance and ensuring the privacy and security of — as well as appropriate accessibility to — protected health information (PHI) is compulsory.
And while public cloud providers like Microsoft Azure supply guidance and resources for designing CURES Act- and HIPAA-compliant environments, that doesn’t mean that everything on Azure is automatically “safe” for healthcare use. Cloud utilization comes with shared responsibilities, and healthcare organizations using the cloud are responsible for their own regulatory compliance and data protection functions and processes.
The IaaS Shared Responsibility Model
In a traditional data center, the organization owns and is responsible for security entirely — from physical space and server hardware to the network and data and applications. With Infrastructure-as-a-Service (IaaS) and public clouds like Azure, the security responsibilities are shared between the user (in this case, the healthcare organization) and the cloud infrastructure provider (Microsoft).
For example, Microsoft ensures that its physical infrastructure is secured, and assumes responsibility for hardware and facility access control across geographical locations. It also ensures that its Azure cloud service is fault-tolerant and reliable, with failover provisions for outages.
But customers using Azure are responsible for securing the data they put in the cloud and the way their applications behave (for example, by enforcing complex password policies and authentication measures to ensure that hackers can’t easily break-in).
Microsoft will sign a HIPAA Business Associate Agreement (BAA) with Azure healthcare customers that define and covers in-scope services, as is required by law for HIPAA compliance. But the healthcare organization using Azure still bears responsibility for achieving and maintaining its state of HIPAA compliance and ensuring its cloud instances are configured correctly.
This IaaS shared-responsibility model is a lot like renting an apartment. The landlord may be responsible for the safety and soundness of the building as a whole, but you’re still responsible for locking the door to your own apartment.
The Future of Healthcare IT
It may sound like all this requires outsized effort just to manage IT, but the truth is that modern healthcare IT is experiencing a complex evolution. There are many industry-specific considerations organizations must navigate to master cloud utilization, and regulatory compliance is only one of them. On the other side of all that effort lies technological capability that can profoundly transform day-to-day operations.
The upsides of cloud power are too significant to ignore: scalable, agile, cost-efficient technology resources running secure, reliable, and largely automated services that extend capabilities while actually reducing complexity.
Microsoft’s continued interest in the healthcare industry is a good thing — and its cloud service is helping to drive a virtuous cycle in healthcare innovation. For example, automatic speech recognition is an incredibly compute-intensive function. Without Azure’s cloud power, would Nuance have even become a healthcare trailblazer worthy of such high valuation? The cloud model has enabled the development and use of tools that can listen as a doctor chats with a patient to automatically generate EHR documentation. It’s pretty amazing when you think about it — and it will power more evolutionary leaps in healthcare IT moving forward.
About Gerry Miller
Gerry Miller is CEO and founder of Seattle-based Cloudticity, a digital enablement partner for the healthcare industry. Gerry is a serial entrepreneur and healthcare fanatic with over 30 years in the technology industry. Prior to Cloudticity, Gerry was brought in as the chief operating officer at ePrize; he turned around a failing company that was eventually sold for a fourfold return on the initial private equity investment. Before ePrize, Gerry spent eight years at Microsoft, first as chief technology officer for the US central region, then running the global business unit that oversaw General Motors (Microsoft’s second-largest customer), growing that account from $20MM to over $100MM in three years. Prior to Microsoft, Gerry spent nearly a decade in the technology consulting and startup industry. He holds all five AWS certifications.