Traditionally, Change Healthcare operated in a legacy data center environment. That is until about 5 years ago when we set out on our digital transformation journey with all roads leading to the cloud. Fast forward to today, the cloud provides us with a common architecture that our business relies on to support operations across our multi-cloud deployments, spanning AWS, Azure and Google Cloud Platform. Longer term, our cloud strategy will encompass IT operations that account for roughly one third of the company’s annual revenue.
Like for many other enterprises, the cloud has allowed us to move quickly at scale, helped to automate processes for meeting regulatory requirements and provided a better security profile than many on-premises equivalents. Through our use of the cloud, Change Healthcare is now able to efficiently certify cloud environments and processes to free up resources to focus on our core business: Running the largest medical network in the United States, which processes 17 billion transactions a year – everything from enrollments, eligibility claims and other transactions – for insurers, providers, patients and employers.
But this didn’t happen overnight. We tackled the journey in phases with many lessons learned and iterations along the way.
Let’s Start at the Beginning
Five years ago, the cloud was relatively new and a bit, well, overwhelming. So, we started small with a pilot program looking to improve three core areas:
- Increase responsiveness to customer requests
- Reduce complexity
- Decrease costs
Phase I – Cloud 1.0
In the early days, Cloud 1.0, we tried a “lift and shift” approach, moving some of our original IT processes direct to the cloud. Unfortunately, that did not yield significant benefits. The IT team lacked the new skills needed to take advantage of the cloud’s benefits. The existing systems were designed to always be running at peak load and were cost-optimized for the data center. With the “lift and shift” methodology, we ultimately ended up paying more money out of pocket, while also giving up control of our end to end infrastructure. As you can imagine, this wasn’t an easy business case to make.
We also experimented with a hybrid approach. In my opinion, this offered the worst of both worlds. In this model we were forced to manage network traffic between the two locations, and that became expensive. Unfortunately, in a hybrid model, because you’re not really re-architecting, you’re not fixing the underlying problems and you end up with a complicated solution with minimal benefits.
“To take advantage of the cloud’s dynamic scalability requires a shift in mindset and approach. Leave the data center concepts and legacy security models behind.”
Phase II – Cloud 2.0
Now we enter phase Cloud 2.0. We seized the opportunity to refresh our technology, rebuilding apps versus shifting legacy code to the cloud. Our goal here was to optimize for the cloud architecture, with app design based on infrastructure as code coupled with built-in, automated testing. We took the ”Shift Left” movement to heart and soon realized we could build and deploy apps – securely – in as little as a day. To put that into perspective, it can take more than a year to add new functionality to apps running in a legacy data center.
By slashing time to market in this way, we caught the attention of other business units within the organization. These small-scale successes showed them that moving to the cloud could be done in a way that was not only secure, but faster and at less cost. But again, the transition to the cloud must be done right – with the right architecture and the right cloud services. Only by putting the proper guard rails in place – including central management of network, users and roles – were we able to empower the other business units to quickly spin up cloud workloads in AWS, as well as connect to services and build and deploy applications on their own.
“Automation is a critical factor to successfully rebuild technology for the cloud. However, we have learned that automation can sometimes be misapplied to give us a false sense of security, so it needs to be augmented by a strong focus on evidence. Evidence can demonstrate that the automation is running and consistently doing the right thing. It also allows us to automatically identify and respond if we drift away from standards.”
Cloud 3.0 – To Infinity and Beyond
In our current state, Cloud 3.0, we’ve expanded the security and development guardrails to encompass Azure and Google Cloud Platform. We are truly operationalizing a multi-cloud innovation model. As a result, we’re now doing full-scale rewrites with some of our largest products. The next version of our medical imaging system is among the product set that will be 100 percent cloud.
Finally, we’re also focused on building out automation to make it easy for us to operationally manage the cloud. By doing this, we’ve further empowered teams and business units to quickly and effectively use the rich services the cloud affords – while upholding the security guardrails and required visibility into data, assets and risks across our cloud infrastructure.
“As we forge ahead in Cloud 3.0, secure and compliant serverless and container-based innovation and development, mapped against initiatives like ISTO and service mesh, will be key. Tying it all together will be an emphasis on evidence-based reporting to prove continuous compliance.”
A Cloud Security Metaphor
Data center security is like candy with a hard shell and a chewy center. You’ve got this strong network protection on the outside (e.g. perimeter), but once inside a user likely has many more privileges than maybe he or she is supposed to.
In our move to the cloud, we made sure to apply the principles of least privilege and security by design to build out a system that’s hardened – from the core to the outside – built on top of native cloud technology from the cloud providers themselves.
This way, we operationalize within an inheritance model of security where every component has a security element to it. This has strengthened our overall security story and posture, which becomes even more critical in the highly regulated healthcare industry.
The Cloud = Opportunity
Change Healthcare’s cloud journey has been truly eye-opening. Some of the biggest surprises, looking back at the last five years, are the things that I’m not doing anymore (e.g. bug bashes, big bug triage meetings, worrying about changes made to production, etc.). This is primarily because I’m continuously building, testing, and deploying. I know that if I stepped out of the office right now and I asked my team to do a deployment, they would be able to within the hour, with virtually no impact to our customers.
The cloud has really eliminated fear around rolling out a production release. Pre-cloud, apprehension was the name of the game. We literally made a dedicated effort to not be in the office. Now it has become such a non-event that I could not tell you when our last deployment was, or what our deployment schedule is. I honestly don’t know because we deploy on demand – in an automated, secure fashion – purely driven by business need.
Net net, because we rewrote our applications for the cloud, we were able to achieve the following outcomes – with many more to come:
- Infrastructure as code. This is a game changer for us. It has allowed us to shift left on security and more.
- CI/CD and full test automation. This is current state and we are quickly moving toward DevOps and AI Ops models.
- Cloud-First approach. We’re truly cloud-first and continuing to move the management of hardware to outside our own IT via managed services, containers, and serverless technologies.
If you remember nothing else, remember this: The security partner you choose in your cloud journey makes a dramatic difference, not only in the process but to the final outcomes. For Change Healthcare, it was important to have a security partner who believe as strongly in all the advantages the cloud represents. For Palo Alto Networks, the cloud is synonymous with the future and they provided us with the services, and tools, both hardware and software, to make the journey easier for our employees, partners and customers.
The post Change Healthcare’s Road to Cloud Compliance is Paved with Lessons Learned appeared first on Palo Alto Networks Blog.