A Framework for Evaluating Cloud Deployment Within Healthcare Organizations – Part 2

In my previous blog post, I discussed how moving from internal IT service delivery to a cloud model requires a fundamental shift in organizational planning, a major component of which is human resource (HR) planning, also referred to as human capital management. No matter the cloud delivery model chosen, there will be an impact on IT department responsibilities, as well as the types of roles needed to support the new model.

This shift in HR planning needs to revolve around the primary driver for moving to a cloud delivery model; the desire to focus more financial resources on delivering care to patients. The following guidelines provide a description of how key roles within an organization may change, and how personnel efforts – and therefore labour costs – could change with a cloud delivery model.

First of all, personnel must be fully conversant in the IT service delivery model used by the cloud service provider (i.e. ITIL and COBIT) and have a good understanding of enterprise architecture frameworks.

Business Analysis (BA) – An organization’s BA capacity may need to ramp up during the cloud model decision-making process to ensure current service delivery requirements are considered during all planning activities.

Quality requirements are fundamental to:

  • Service level agreement development and monitoring;
  • Business continuity/disaster recovery planning;
  • The development of new cloud based services.

To adequately preserve ongoing operations, an organization should augment its BA capacity to ensure that the functional requirements used in moving IT initiatives forward (in a cloud delivery model) are current and complete. Configuration databases and service sensitivity/priority documentation will require extensive updating and evaluation against proposed new service delivery methods.

Enterprise Architecture (EA) – EA personnel are essential to finding the balance between clinical and business requirements, and evaluating the service delivery capabilities of the cloud service provider. In order to maintain efficient IT service delivery and support, the EA personnel should be heavily engaged in all facets of organizational planning, particularly as it relates to the implications to IT service delivery. This will ensure the required EA models can fully leverage the cloud deployment, as well as fully describe the design of components required to bridge any service gaps.

EA personnel are needed to inform service level agreement development, business continuity/disaster recovery planning and the development of new cloud based services. Additionally, EA personnel will be key contributors to any required threat risk assessments and privacy impact assessments on services being moved to a cloud deployment.

Project Management – When internal projects are delivered by an organization with an IT department, employees are typically assigned at a certain percentage to each project. Since implementing a cloud deployment model could lead to a different project delivery model, will the cloud service provider offer additional personnel to assist your project team? Will all cloud service provider requests be processed as service requests? What are the financial implications of either model?

Internal IT project management personnel should map out current processes during the cloud model decision-making process, as well as document and provide input into the SLA and service catalogue development. This approach will allow an organization to create a professional development plan or process change plan to prepare for any project delivery model adjustments.

Security – The move to a cloud delivery model does not eliminate the need for organizational IT security service personnel; however, it will change the required skill set and operational tasks of these resources, since they will now focus on vulnerability assessments, security audits, threat risk assessments of cloud delivery partner services, risk treatment plans and strategic security planning.

So what will change? IT security personnel will no longer need to be experts in specific IT security platforms or tools such as 4GL firewalls, intrusion detection software or log parsing tools. Their role will evolve to that of an enterprise security architect, ensuring the security controls implemented by the cloud service provider serve the purpose of maintaining the enterprise's quality attributes: confidentiality, integrity, availability, accountability and assurance services.

The enterprise nature of IT service delivery means that the changes to structure, resources and responsibilities will affect the operational activities of other organizational units, such as Privacy, Audit, Risk Management and Contract Management. An analysis of these changes will be described in my next post.


Rod Thurber is Senior Consultant with Gevity's Architecture and Standards Branch. He has more than 20 years experience in healthcare IT service delivery across multiple delivery models including internal IT and private cloud. He has also been engaged to evaluate service delivery models and managed service threat risk assessments.