Cloud services come in many different forms, which is one reason why their adoption keeps climbing. Backup services...
are one type of cloud service that has penetrated healthcare, particularly drawing interest from small to midsize medical facilities. Providers are recognizing it is far more cost-effective to deploy disaster recovery services in the cloud than build secondary hot or cold sites where duplicated infrastructure is on standby.
Many providers are taking healthcare data security more seriously thanks to HIPAA rules and the HITECH Act. HIPAA specifies that data should not only be backed up, but it must be recoverable and usable in case of a system failure. The concerns some healthcare providers have about backups, disaster recovery (DR) and business continuity are eliminated when their IT providers or IT departments commit to establishing and monitoring backups. But, it's not always easy to validate that plan and ensure that the system can be recovered. The absence of a working business continuity plan (BCP) in the wake of a disaster can lead to data loss.
Organizations that haven't fully tested their DR and BCP should reconsider that choice. Cyber threats to healthcare data security are on the rise and the HHS Office of Civil Rights (OCR) has taken action against those who failed to comply with HIPAA requirements. Fines assessed by OCR, which is in the midst of a HIPAA audit program focused on risk analysis and management, have totaled more than $26 million. Impending HIPAA audits have made some covered entities consider protecting their data by pushing it offsite to a reliable and cost-effective service.
Many of today's cloud providers such as Microsoft, Amazon, Google and VMware offer disaster recovery as a service (DRaaS). For example, Microsoft Azure Site Recovery is a service that allows an IT department to connect its local or hosted environments to the service and replicate the complete system to make it easily recoverable. By purchasing a DRaaS product that is easy to set up and configure, IT departments that support environments of different complexities can have a cost-effective alternative to building duplicate backups. This is a viable option for providers that have a current gap in their system protection or backup.
Some providers remain fearful of trusting their data to third-party vendors that will host it offsite, but healthcare data security in the cloud is a top priority for cloud providers. To dispel concerns, vendors such as Microsoft have updated their business associate agreements and comply with standards such as ISO 27001, SOC1 , SOC2, FedRAMP, HIPAA and others. These security certifications exceed the basic practices observed in some smaller IT environments.
Healthcare data security and cloud DR
Cloud providers feature a variety of DR packages and it's up to medical practices and hospitals to identify which is an appropriate fit for their environment. Healthcare organizations should consider the following criteria when evaluating a DR package or service.
Review all the different DR packages: Today cloud providers are constantly competing, and as a result, plan prices seemingly change from day to day. Announcements of increases in storage and decreases in costs are frequent. It is critical to review a multitude of options from multiple DR vendors. Typically, vendors offer the following services or models:
- Storage as a service (SaaS): By implementing SaaS, a hospital or medical practice deploys a cloud service that offers online storage setup to hold backups of all their critical medical and system data. This model uses the cloud as a virtual media vault that sits outside of the hospital environment. But SaaS has limitations because it acts more like an archiving system that hosts data backups and may not be a fully functional system that can be used immediately.
- DR with infrastructure as a service (IaaS): With IaaS, cloud vendors offer covered entities a service that is a destination for replicated data, but that can also be used as a secondary site if the covered entity's environment is down, or when they are operating in an emergency situation. This model is frequently the most desired because it offers the fastest recovery time compared to other cloud services.
Define the provider's infrastructure and compatibility: Before committing to DRaaS, an IT team must evaluate the product to be sure it supports full system recovery and matches up well with the health IT systems it will be reinforcing. Each vendor offers a different group of tools and IT must select the set that is most compatible with its own.
Address cloud interoperability: Several hospitals and healthcare entities were early adopters of cloud services. The IT departments at these organizations may have more to do to address compatibility and integration of a DRaaS product with their aged cloud systems. Doing this background work is part of comprehensive DR and BCP.
Determine recovery objectives: Two facets of DR and BCP plans are recovery time objective (RTO) and recovery point objective (RPO). RTO is a measure of how long an organization can go without its applications before the DRaaS must bring it back online. RPO defines the amount of data loss that is acceptable by the organization by setting a time limit on how often data must be backed up.
Calculate costs: Service providers offer a wide range of subscription models for DRaaS. Some offer a flat monthly fee based on the amount of storage used. Others, such as Microsoft, intentionally have reduced the upfront costs and charge a low monthly rate, with fees increasing only for what is used during a true disaster scenario. Most IT departments need to engage with the different vendors to ensure their proposed pricing is accurate and based only on the systems that need protection.
For many cloud providers, the ideal situation would be to host clients completely in their cloud in order to use the built-in DR system. But some hospitals still are not willing to trust all of their critical systems and healthcare data security to the cloud and, at first, will part only with some of their systems. For organizations that want to protect their data and ensure it is available during an emergency, DRaaS is a viable alternative to secondary sites.
About the author:
Reda Chouffani is vice president of development at Biz Technology Solutions Inc., which provides software design, development and deployment services for the healthcare industry. Let us know what you think about the story; email firstname.lastname@example.org or contact @SearchHealthIT on Twitter.
Cloud EHR vendor sets sights on larger customers
Learn how to check if cloud providers meet HIPAA requirements
Epic Systems Corp. makes a move to the cloud