New heights are being reached in a canton famed for its mountains: Kantonsspital Graubünden, a hospital in Chur, the capital of the Swiss canton of Grisons, has proven that summits can also be scaled in the IT world. Its achievement has been to build a clinical information system in the public cloud using cutting-edge technology. But how does it ensure data protection?
Look through a window at Kantonsspital Graubünden hospital in Chur and you may well see the peaks of the Calanda massif. Given the imposing mountain scenery, it takes little imagination to understand why this area is so popular with hikers and skiers alike. Mountain air is considered healthy. And it obviously boosts the imagination, given not only the many well-known artists who come from Grisons or have settled there, but also the work ongoing in the hospital’s IT department, where an innovative project is in the making.
CIO Martin Pfund is pursuing innovative plans there with a cloud-based clinical information system (CIS). While clouds are not popular with mountain hikers, the head of IT sees them as the future for hospital computer systems. ‘For me, the cloud is a cornerstone of digital transformation,’ he emphasises.
A CIS in the public cloud
With his plans, Martin Pfund has set his sights as high as the mountain peaks in the canton. He recently demonstrated with a proof of concept (PoC) that a clinical information system (CIS) can be operated in the cloud. Specifically in this case the Microsoft Azure public cloud. A cloud-native version of the CIS from CompuGroup Medical (CGM) has been used to create a modern system based on state-of-the-art cloud technologies.
While this is certainly an ultra-advanced solution, having highly sensitive patient data in the public cloud sounds about as tempting from a security perspective as an impending rockfall. In fact, the cloud infrastructure itself is better protected against cyberattacks than most on-premises installations. But how can data protection be guaranteed in the public cloud? ‘Of course, data protection was the biggest hurdle in the project,’ Martin Pfund candidly admits.
‘Protecting SaaS cloud solutions with a “bring your own encryption” service such as e3’s Centraya CASB requires a balance between protection and functionality. There’s also always a bit of scepticism that needs to be addressed when it comes to encryption. We were able to accomplish all of this within the PoC.’
Thomas Fürling, CEO of e3
The solution is to store sensitive information in the cloud in an unreadable format. To meet data protection requirements, sensitive information is first encrypted via a gateway from Swiss security provider e3 and then stored in the cloud. If such data were to fall into the wrong hands, little could be done with them, let alone any conclusions drawn about personal patient information. ‘This allows us to ensure that patient data is handled responsibly,’ emphasises Pfund.
But simply encrypting the sensitive information when it is saved is not enough, he adds: ‘It is clear from the guidelines issued by the Federal Data Protection and Information Commissioner (FDPIC) that we need to manage the data encryption key, not, for example, the cloud provider.’ This means that neither Microsoft as the operator of the cloud environment nor CGM as the provider of the CIS software can read the sensitive data. Anyone who gains access to patient data outside of Kantonsspital Graubünden (KSGR) will not glean any useful information. In a sense, the encryption serves as a protective forest, preventing data leaks and unwanted access.
‘CIS as a Service’, a (European) premier
Martin Pfund is breaking new ground with an CIS from the cloud. And perhaps one day tourism brochures will not only state that the canton of Grisons is home to Davos (1,560 metres above sea level), Europe’s highest town, but also probably Europe’s first ‘HIS as a service’ from the public cloud.
Why is such pioneering spirit evident at KSGR of all places? ‘The shortage of IT specialists is one of the drivers behind this project,’ explains Martin Pfund. ‘With decentralised healthcare in the canton of Grisons, with its high number of regional hospitals due to its topography, having a common basis for individual CIS reduces IT costs.’ And scarce IT specialists don’t have to worry about operating the infrastructure as well. This task is handled by the respective project partners. For example, if someone has to visit a hospital in Europe’s highest city, Martin Pfund wants their patient data to be collected in an infrastructure that is similar to that used in Chur, almost 1,000 metres further below.
Having the same CIS in all hospitals would also make work easier for employees. ‘Due to the shortage of skilled workers, specialists will increasingly have to work across different sites,’ says Martin Pfund. ‘And that’s why it’s an advantage if employees are encountering the same familiar system everywhere.’
The right step into the future
Collaboration of this kind between individual hospitals is, of course, simplified by the cloud. However, the multi-client capability of the CIS also plays an important role, emphasises Martin Pfund: ‘With the cloud, we have found an approach that ensures that all hospitals work on the same platform, while enabling the regional hospitals to retain their independence and use the functions of the CIS that are important to them.’
‘We are delighted that Kantonsspital Graubünden, a pioneer in the Swiss healthcare system, has successfully tested CGM’s CIS in a PoC in the Microsoft Azure cloud. The pioneering CGM on Azure PoC was implemented in collaboration with our partners Swisscom, CGM and e3 and is a significant milestone for Microsoft Switzerland. It promotes innovation and technological progress in the healthcare sector and meets the most stringent compliance and data protection requirements through Microsoft’s Swiss data centre. The multi-client and scalable solution without infrastructure life cycles offers KSGR the highest security features and flexibility, with a focus on improved patient care. The final implementation would make a significant contribution to the digitalisation of the healthcare system in Switzerland.’
Denise Richard, Account Executive & Public Sector Industry Lead Health, Microsoft Switzerland
This is not dissimilar to the models of nearby ski resorts, some of which have joined forces to provide a more attractive offering for customers to the benefit of all. The architecture, developed by Swisscom cloud architects in collaboration with KSGR, represents a win-win in a way. Regional hospitals benefit from a wider range of CIS functions than could be cost-effectively provided as a standalone solution. And profitability is definitely a factor, as Martin Pfund emphasises: ‘If we manage the cloud properly and only use the resources we really need, we save compared to on-premises costs.’
This means, for example, shutting down test and development systems overnight, but also ramping up resources at peak times. Scalability is the advantage of the cloud that has made this architecture popular in the first place.
However, the road to a successful proof of concept has been long and rigorous. ‘We have really felt the pressure of taking on this pioneering project,’ admits Pfund. ‘The partnership with Swisscom has made it a lot easier for us. Both sides recognised the potential of this project.’ This pioneering spirit was supported by the courage, perseverance and pragmatism of the parties involved – qualities that were also needed by the mountaineers who undertook the first documented ascent of the Calanda massif almost 500 years ago.
‘Everyone may be talking about cloud-based applications, but they have not yet arrived in every industry. Particularly in the healthcare sector, there are reservations when it comes to data security and availability. It was precisely these aspects that were addressed with the PoC. Swisscom used its expertise in other sectors, such as banking, to make the project a success. In doing so, Swisscom is providing important impetus for digitalisation in the healthcare sector and confirming its role as a partner for service providers.’
Christian Westerhoff, Head of Vertical Healthcare, Swisscom
Azure consulting: into the cloud with Swisscom experts
A successful cloud strategy requires good planning. Our experts will advise you on planning, implementing and operating solutions with Microsoft Azure. And prepare your IT for the future.
