Not all clouds are created equal


Speed, immediacy and scalability are just a few of the rewards of using the cloud for your applications and data, and the reasons why so many healthcare companies are turning to the cloud to hold even their most critical data. Not only can you easily scale your cloud storage to accommodate your ever-growing healthcare records, but the mobility and immediacy allows you to access and respond to patient data whenever and wherever you need to.

If you’re thinking about migrating to a cloud platform, you’re hopefully concerned about security and performance issues -- and rightfully so. While healthcare providers enjoy incredible benefits with the cloud, not all cloud environments will provide the security and performance you need to adhere to HIPAA, HITECH or even the internal controls your business has devised as best practice. Sorting the pack is just a matter of asking the right questions of the cloud provider.

Optimizing your cloud for optimal patient care
The foundation of a good EHR/EMR system is performance. Medical personnel must be able to retrieve data they need at any given moment; patient outcomes and treatment decisions depend on it. This is where an optimized cloud environment can shine by delivering data instantly.

So what performance benchmarks should be required from your cloud provider?

  • Build and test a proof of concept to ensure a particular cloud can handle your requirements.
  • Ask: What kind of storage does each provider use? Do they utilize fiber or network attached storage? (Fiber is faster and more secure.) Do they offer high-performance SSD based storage?
  • Ask: Which hardware platform are they using to provide computing power and memory?  Not all hardware performs equally.
  • Inquire about how they plan and manage capacity – many providers use an oversubscription model, which can result in performance degradation at certain times of day or days of the week.

Staying compliant through smart security checks
Meeting the HIPAA/HITECH requirements is a mandatory and challenging task. Once again this is an area where the cloud is a natural ally, helping healthcare providers meet compliance standards. The secret: excellent security. Once you’ve locked down your cloud to protect patient and other sensitive data, you’ve already won half the compliance battle.

To ensure your particular compliance needs are met, you must look past the marketing hype and use the following best practices when assessing cloud providers:

  • Some vendors provide security through third parties, which involves a longer chain of liability for you to evaluate. Read all documentation; even if your vendor can show you an audit report (such as an SSAE 16), you must read it closely to determine if their security services were actually part of a third-party audit. Oftentimes they are not.
  • Look for healthcare-focused third parties that validate each cloud provider’s security practices and policies, such as research entities and auditors.
  • Ask if the provider will enter into a business associate agreement. This legally binding agreement helps ensure that your vendor will take responsibility for protecting your PHI appropriately, as well as follow the HITECH and HIPAA rules.
  • Make sure your cloud provider clearly articulates your compliance responsibilities as the customer and their responsibilities as the vendor. If they seem reluctant, or are vague on the division of responsibilities, the odds are they won’t meet your needs or expectations long term.

With a cloud stack designed to meet the specific needs of the healthcare industry, you can optimize your EMR/EHR system, improve medical billing, enhance patient outcomes, satisfy compliance regulations and more. The trick is doing your homework and asking the right questions that will lead you to infrastructure with the security, performance and consultative, managed services your healthcare applications and data require.

Kurt Hagerman is director of information security at Firehost. He oversees all compliance-related and security initiatives.