10 questions to ask your cloud vendor

Physician practices are beginning to see the value of transitioning their businesses, or parts of their businesses, to the cloud in order to reduce costs. While moving to the cloud greatly enhances the way practices use data and conduct business, it also presents new risks.

For instance, what if your practice were to lose access to data for an hour?  This might be just an inconvenience.  However, what if you couldn’t access your data for a few days? In most cases, this type of event would affect your practice in a more substantial way. 

It’s often easy to underestimate the cost of your critical vendors being down, until it’s too late.  Worse yet, some vendors claim to have reliability but may take shortcuts to save costs.

Here are 10 simple questions to ask your current or potential vendors to make sure your data is safe, even in the event of a disaster.

1) Does your data center have complete power redundancy?
A private cloud data center should have complete power redundancy, which, in most cases, means having two separate, high-priority feeds from the local power company, battery and generator backups, and high-end electrical equipment available to ensure seamless switching between these sources. It’s crucial to have multiple generators with fuel supply contracts so a data center can run indefinitely.  These backup power supplies should be tested regularly.

2) Does your data center’s cooling system have complete redundancy?
In private cloud data centers, it is critical to have adequate cooling. Cooling systems must be completely redundant with high fault tolerance. Many data centers only have a single air conditioning unit, which is often insufficient when there is a heat wave. Like backup power supplies, cooling systems also should be tested regularly.

3) How does your data center operate if the power company has a complete blackout?
Even if a data center has complete power redundancy, blackouts still occur and subsequently disrupt data center functions. It is important to know how much downtime can be expected during a blackout and how long the data center can keep services up.

4) Does your data center have complete redundancy of all components?
Data centers should never have a single point of failure; every component must have redundancy. Storage area networks should have redundant drives, hot spares and multiple controllers. All layers of the system must be included, and individual components should have high availability in order to avoid downtime.

5) Do you regularly test the failover of your data center components?
Having redundant hardware is all well and good, but what is truly important is that these pieces are interchangeable with no customer impact (otherwise known as immediate failover). Many vendors claim to have standby servers or equipment, but it may take hours or days for that new equipment to come online.

6) What are your data center monitoring and alerting procedures?
At a private cloud data center, it’s important to have proactive monitoring and alerting in place with adequately trained professional IT staff that are familiar with the applications and services. This helps ensure that any issue or degradation is identified early and resolved quickly before any customer impact. Issues will happen -- hard drives will fail and network problems are common -- but in almost all cases there are early warning signs.

7) Does your data center have a disaster recovery site in a separate location from the primary site?
Even with high degrees of local redundancy in a private cloud data center, you need to be prepared for significant disasters with a comprehensive disaster recovery plan. Disaster recovery sites should be in geographically disparate areas. Having a data recovery site in close proximity to the primary site is basically pointless, but still surprisingly common.

8) What are the RTO and RPO of your data center recovery plan?
The best practice is to have a site exactly like the primary site – “ready to go” at any time. Many vendors simply back up their data offsite and contract an IT company for equipment rental in the event of an emergency, which would take days or weeks to receive – with no guarantee that it will work. This can greatly affect the recovery time objective (RTO), a measure of how long it will take to restore services, and the recovery point objective (RPO), a measure of how far back the point of data restore is from the disaster occurrence. As a best practice, you should look for a RTO and RPO of a few hours or less.

9) Do you regularly test your data center recovery plan?
Many vendors have a plan, but it may be tested only once per year, or not at all. When tested, there may be multiple flaws found, but often little or no action is taken. Nonetheless, the vendor can still claim that the plan was tested. Make sure to ask about the results of testing. 

10) Does your data center recovery plan account for business continuity?
Business continuity extends the concept of disaster recovery by ensuring that all business functions, not just IT systems, can remain operational with minimal disruption in the event of disaster. As a best practice, vendors should have multiple business locations with adequate, trained staff capable of handling non-IT related business functions, such as customer service. Don’t rely on bussing or flying staff to an alternate location.

As practices transition to the cloud, it’s crucial to ensure that your data will be safe when disaster strikes. All practices that have transitioned or are considering a transition to the cloud should ask these questions of their current or potential vendors. Vendors not only should have adequate responses to these questions, but they also should commit to these things in their contracts and publish this commitment on their website. Leveraging the cloud can significantly enhance the way you run your practice, but you must take these precautions to protect yourself.

InstaMed is a privately held company specializing in healthcare EDI and payment processing.