HIPAA may require that healthcare providers have solid disaster recovery plans in place, but relatively few health IT executives are confident in what they have. In fact, a full 82 percent say their technology infrastructure is not fully prepared for a disaster recovery incident, according to a recent MeriTalk report; even among those who do feel prepared, only 50 percent are confident in their ability to restore 100 percent of the data required by SLAs.
The cost of all that uncertainty? More than $1.6 billion a year as a result of security breaches, data loss and unplanned outages, the report estimates.
Enter the cloud, an increasingly compelling alternative to the traditional remote data center as a disaster recovery solution. Though healthcare CIOs have been cautious in their approach to the cloud — global penetration of cloud in healthcare was just 4 percent in 2011 — that’s slowly changing, and healthcare organizations worldwide are expected to spend $5.4 billion on the cloud by 2017.
Here are a few reasons hospitals should consider using a cloud disaster recovery solution.
1. Enhanced HIPAA Compliance
Industry-specific compliance requirements tend to play a central role in defining an organization’s technology options, and HIPAA is no exception. For healthcare CIOs considering cloud solutions, anything without HIPAA compliance is simply a nonstarter.
“Today, cloud providers’ reluctance to meet regulatory standards is a challenge, since most are creating service packages for the whole industry and not specific to the healthcare environment,” noted Mary Alice Annecharico, senior vice president and CIO at the Henry Ford Health System. “This could be a huge problem for an healthcare organization in the event of a data breach or exposure.”
Fortunately, HIPAA-compliant cloud solutions are emerging, meaning that hospital CIOs can increasingly base their decisions on other distinguishing factors. Whether a cloud vendor is willing to negotiate a HIPAA business associate agreement, for instance, is a good one to pay attention to, advised Skip Snow, a senior analyst for healthcare with Forrester Research.
Google, for instance, is not willing to do so, he pointed out. “That essentially indemnifies Google,” he explained. “Beware the ‘off-the-shelf’ HIPAA business associate agreement.”
2. Reduced Capital Expenditures
In general, the cloud allows organizations to reduce capital expenditures, since they can purchase capacity only as they need it rather than having to invest up front in equipment with an eye toward the future.
“The ability to move expenditures from capital expenses to operational expenses is a big benefit of the cloud,” Snow noted. Ultimately, he added, it should lead to overall savings.
3. Increased Convenience
Cloud solutions can also offer IT organizations more convenience, since the cloud vendor handles much of the process for them.
Of course, “now you’re managing the vendor,” Snow noted. In addition, “this increased convenience comes with the risk that your IT organization will be worried about losing headcount.”
An important message for management to send, then, is that the move to cloud was made in part to relieve IT from the burden of project-based work, he suggested.
4. Improved Resource Allocation
Along related lines, choosing the cloud for disaster recovery allows the IT organization to use existing staff on more important initiatives requiring in-house expertise.
5. Geographically Dispersed
Finally, cloud solutions offer a way to keep healthcare data safe by spreading it out geographically, so that even if one region suffers a disaster, the data will still be safe somewhere else.
“Cloud vendors should have redundant data centers over 500 miles apart, which ameliorates the problem if you have a catastrophic event that’s regional,” Snow said.
In fact, with increasing network bandwidth and storage costs going down, it is now possible to do backups remotely over the Internet, he added.
Of course, “backing up data is easy; restoring data is hard,” Snow pointed out, so CIOs should seek SLAs based on performance of that function.
