How Zimmer Is Managing Cloud ComputingHow Zimmer Is Managing Cloud Computing

Brian Buntz

October 14, 2014

5 Min Read
MDDI logo in a gray background | MDDI

Look around you. Chances are someone is using cloud computing for one thing or the other. In the home, there are lots of entertainment-related cloud-based applications, like streaming of music and movies. But cloud-based services can also be a productivity booster at the worklplace. Engineers are using the cloud to collaborate remotely. Employees can use the cloud to send large files that are too big to easily send by email. The list of applications is steadily expanding.

The use of the cloud in the workplace has become so commonplace, that it makes it difficult for companies to track. Medical device companies have the added complication of worrying about keeping things like sensitive patient data and intellectual property safe.

To lean how one company, Zimmer Holdings (Warsaw, IN) is dealing with cloud, MPMN spoke with Olayinka James, chief information security officer (CISO) of the company.

James will speak on cloud computing security in a keynote address at MD&M Minneapolis on Wednesday, October 29.

Although the medical device industry is late to embrace the cloud, they are beginning to do so, albeit cautiously.

MPMN: What can you tell me about Zimmer's cloud computing efforts?

James: We do have business areas who have a need for a cloud application or services and will go out to purchase and deploy directly. Half of the time, our IT department doesn't even know about them at first and we classify those as part of the "shadow IT"
 
We have a lot of this kind of cloud applications and services proliferated everywhere.
 
That is why my presentation will start by defining what cloud computing is, because quite a number of people still don't get that concept.
 
There are a lot of things that people are using today that they don't know is in the cloud because sometimes the vendors won't tell you. The will just describe it as an app that you use. But it is really a software as a service, which is in the cloud somewhere.

MPMN: What do you mean by that?

James: We have a lot of employees with needs for cloud services, and they are buying those as individuals. Half of the time, our IT department doesn't even know about them at first.

For instance, someone might buy a solution for an electronic signature. They will buy it, and have their department put it on their iPads. The software has a cloud component but the person who bought it either didn't know about it or didn't think about it. We have a lot of this kind of cloud software proliferated everywhere.

That is why my presentation will start by defining what cloud computing is, because a lot of people don't get that concept.

There are a lot of things that people are using today that people don't know are cloud computing because those vendors won't tell you. The will just describe it as an app that you use. But it is really software as a service, which is in the cloud somewhere.

MPMN: How are you dealing with this issue?

James: What we did when I came in is to take an inventory of all of our cloud service providers and all of the cloud applications that we have running. The good news is that there are a lot of tools out there that can help you do that discovery.
 
When we ran a tool, what we found was a real eye opener.
 
These tools are really accurate. They can pick up 95% of what you have in the cloud. We did some analysis and found out who owns these cloud services. We then started to do an evaluation. Why do we need this? What kind of data and risk is inherent with this application in the cloud? Etc.
 
We are still going through that process because it is not easy. The first step is to take an inventory you have in the cloud.
 
Everybody is probably going to be shocked at what they will find out.
Often times businesses are purchasing cloud software for their own benefit and productivity. I don't think people do it maliciously; they just don't know the implications of what they are doing.   
 
But these third-party cloud apps can represent security threats.

I remember an example from last year of a HIPPA breach at the Oregon Health & Science University (OHSU) involving the inappropriate storage of unencrypted patient information in the cloud. Physicians-in-training at this hospital were looking for ways to increase collaboration procured a service from Google cloud with the intent to provide each other with up-to-date information about who was admitted to the hospital under the care of their division. Unfortunately they inappropriately posted over 3000 patient data in unencrypted spreadsheets using the cloud-based e-mail and document storage services procured from Google. Because OHSU did not sign a business associate agreement with Google, it is still debatable who has the liability for the breach.  
 
There are tools an IT department can use to monitor cloud applications like DropBox for data that is not sensitive.

For things that involve sensitive information, we should be working with the business to provide preferred alternative solutions when necessary.

Brian Buntz is the editor-in-chief of MPMN and Qmed. Follow him on Twitter at @brian_buntz.

Like what you're reading? Subscribe to our daily e-newsletter.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like