Today’s healthcare organizations face many challenges, and they’re not all related to patient care. As they move to the cloud, they’ll need to consider a whole host of factors, including cost (which billing model is best for healthcare?), compliance (is my provider HIPAA and HITECH compliant?), and security (does the provider offer protection from breaches?). Here’s an in-depth look at the three cloud considerations for healthcare.
Cloud Storage Costs
Nearly half of all hospital bills are never paid; and since healthcare organizations never know what they’ll have coming in, the administrative team needs to be very careful when it comes to budgeting. So where does this leave healthcare organizations when it comes to cloud services? Often, very confused! They want cloud-based storage services that fit within their budget, and one reason many look to the cloud is the promise of lowered costs. However, some healthcare organizations migrating from on-premise infrastructure, to a cloud-based infrastructure have seen the opposite happen. In the recent State of Software-Defined Storage, Hyperconverged and Cloud Storage survey, 31% of IT professionals across industries stated that instead of cutting costs, moving to the cloud increased their storage costs. So, it’s important for healthcare organizations to carefully review the details of their service level agreement (SLA) before selecting a cloud provider, and to closely examine billing options.
One way a healthcare organization can keep tabs on their cloud spending is by choosing a provider that offers a level billing plan. Unlike consumption-based billing models in which you pay as you go (like a utility), level billing keeps cloud costs consistent month to month. Prior to entering an agreement, a monthly cost is determined so that there is never a surprise at the end of the month. Level billing also allows an organization to burst up during a contract period if capacity needs increase, without the hefty overages you can get in the pay as you go model. Another benefit of level billing? Most reputable providers will offer a 12-month SLA review and reconciliation period; if you’re using much less capacity than you’re paying for, you can decrease it and receive lowered pricing throughout the next year.
Virtual and Physical Data Security
Healthcare organizations have become a prime target for cybercriminals, and healthcare data breaches are happening with frightening regularity. In 2018 alone, hundreds of healthcare data breaches occurred, exposing the records of millions of people. Why are hackers going after this industry? Because healthcare organizations possess more personal data than almost any other industry, including names, birth dates, social security numbers, credit card numbers, and electronic private health information (ePHI). This valuable information can be easily sold on the black market.
Another reason cybercriminals have set their sights on the healthcare industry is that they can often succeed in holding data for ransom. Unlike other industries, healthcare organizations cannot afford to have their data hijacked for any length of time; and losing access to records could literally be a matter of life and death. Other organizations, however, may be able to figure out another way to access their data, or may simply choose to not bargain with the ransomware criminals. Healthcare organizations often don’t have that choice, and are forced to pay up.
One-way healthcare organizations can protect their data is to consider a virtual private cloud (VPC), instead of a public cloud. A VPC is just as virtual as a public cloud, but it offers a level of isolation between each client. In addition, information passed through a VPC stays within a client’s control without crossing the internet. A reputable VPC also maintains high levels of uptime, which is critical for healthcare; if the system goes down for any length of time, it could affect patients or even cost lives.
Finally, healthcare organizations should not overlook the physical security of their cloud provider's data center. Location of data is often a compliance consideration, so they should look for a provider that’s located outside flood zones and has redundant N+1 generators, an uninterruptible power supply (UPS), computer room A/C (CRAC), dual authentication security, and hurricane-rated structuring. It’s also important to look for a provider that offers geo-diverse locations, or geo-redundancy, in their SLA. That means that if a disaster strikes one location, your data can be moved to another location, keeping it safe and accessible.
Continuous changes to the Health Insurance Portability and Accountability Act (HIPAA) regulations have many organizations scrambling to keep up. And while HIPAA does a lot of good, such as providing individuals insurance options when between jobs, and preventing healthcare fraud by restricting data access to authorized individuals only, it also creates a lot of confusion.
In addition to HIPAA, today’s healthcare organizations have also had to adhere to the Health Information Technology for Economic and Clinical Health Act (HITECH) regulations since 2009. Created to strengthen HIPAA privacy protections and the ability to enforce them, HITECH requires healthcare organizations to self-report privacy breaches. Failure to do so can result in fines up to $1.5 million, and for an industry that’s always facing rising costs, this can break them.
At one time, many healthcare providers attempted to maintain compliance on their own. Now, for many organizations, it’s too time-consuming and expensive to employ an IT team that’s familiar with regulations and has the ability to constantly monitor systems and logins, develop security incident procedures, and utilize data encryption. And, healthcare organizations accepting electronic payments will also need to maintain PCI DSS compliance, yet another hurdle they simply don’t have time for.
To stay on top of compliance regulations, many healthcare organizations are turning to cloud providers offering HIPAA, HITECH, and PCI DSS compliance to minimize the risk of fines and to protect their patients.
If you’re a healthcare organization considering migrating to the cloud, or looking to switch cloud providers, consider DSM. We are Florida’s preferred cloud provider, with a unique H-Cloud designed just for healthcare organizations. H-Cloud offers HIPAA, HITECH, and PCI DSS compliance, heightened virtual and physical security features, and we can put you on a level billing plan right away. Contact DSM today to learn more.