Conducting Business in the Cloud, Part 2
Best Practices to Ensure that Your Data Is Safe
An article taken from the January/February issue of HBMA Billing, by Chris Seib
Read the first segment of this article in the previous edition of HBMA Billing (www.hbma.org) or in HBMA 'Public' News.
As more management companies and medical practices transition their electronic records to private clouds, they risk long-term data outages and other crippling failures that may pose significant threats to their bottom lines. The first article of this series highlighted some of these concerns, detailed best practices for transitioning to a private cloud, and offered tips to use in discussions with vendor partners. This article offers additional tips and best practices, with a focus on disaster recovery, business continuity, and security.
Disaster RecoveryEven with high degrees of local redundancy in a private cloud data center, you need to prepare for significant disasters with a comprehensive disaster recovery plan. Disaster recovery sites should be in geographically disparate areas. Having a data recovery site in close proximity to the primary site is essentially pointless – but still surprisingly common!
Many vendors take a very low-cost approach to disaster recovery. They may back up their data offsite, but it would take days or weeks to bring the backups online. The best practice is to have a site exactly like the primary site "ready to go" at any time. Many vendors back up their data offsite and contract an IT company for equipment rental in the event of an emergency, which would take days or weeks to receive with no guarantee that it will work. This can greatly affect the recovery time objectives (RTO) and recovery point objectives (RPO).
RTO: how long it will take to restore services from when a disaster is declared
RPO: how far back the point of data restore is from when a disaster is declared
As a best practice, you should look for an RTO and RPO of a few hours or less. Because this requires a significant investment, many vendors skimp. They have a plan, but it may only be tested once per year – or not at all. When tested, there are often multiple flaws found, and commonly there is little or no action taken (but the vendor can still claim that the plan was tested).
It is important to consider the human factor as well. Many vendors have a disaster recovery plan that involves putting people on a plane or bus to go to an offsite location. In the event of a disaster, what are the chances that planes and buses will be operational in the immediate area? As a best practice, it is important to have adequate staff in the alternate locations to operate critical functions.
Tip: Ask your vendors about their disaster recovery plans. How often are they tested? What were the test results? What are the RTO and RPO? Were those objectives met in the most recent test?
Business ContinuityBusiness continuity extends the concept of disaster recovery by ensuring that all business functions, not just IT systems, can remain operational with minimal disruption in the event of disaster.
What are the critical business functions that you rely on from your vendors? Often, it is more than just a website or file server: it involves customer service and other human interaction. As a best practice, vendors should have multiple business locations with adequately trained staff that are capable of handling non-IT related business functions such as customer service. Do not rely on busing or flying staff to an alternate location.
Tip: Ask your vendors about their business continuity plans, specifically if they account for customer service and other critical functions.
SecuritySecurity breaches can cause significant disruption to your business, either through data leakage (which may have significant HIPAA and HITECH Act implications) or by causing downtime and disruption of services. It is important that your vendors take a robust and comprehensive approach to security threat management. Require multiple layers of security, a robust security policy, proactive monitoring, alerting, and independent auditor verification.
Multiple Layers of Security
Best practices include both host-based and network-based anti-virus, anti-malware, intrusion detection and prevention, integrity-monitoring network firewalls, and application firewalls configured in an active, online state. This means that security components will "take action" to block or prevent attacks before they happen, and not just send an alert to indicate a problem.
Your vendors (and you) should have a written security policy outlining all aspects of the security program. Trained security personnel need to review and update this at least once a year. This should also include a regular security risk assessment.
Billing services also should have a designated security officer. This is often not the case, and security is more of an afterthought of the IT department.
Independent Auditor Verification
Do not take your vendor's word for it – ask how they prove their security with independent audits. The Electronic Network Healthcare Accreditation Committee (EHNAC) is a good start, but it does not cover security in a detailed manner. In addition to EHNAC, look for a Payment Card Industry (PCI) "Data Security Standards Level One" audit performed by a PCI-approved Qualified Security Assessor, an SSAE16 Type II audit, and regular external and internal vulnerability detection by third parties. As a rule, make sure your vendors are certified by a third party and not just "compliant" through self-attestation. There is a difference!
Get It in Writing
If your vendors are down for days or weeks, the costs to your billing service will be serious. It is crucial to ensure that your vendors are able to offer "true availability" for the services they provide. Many vendors claim to have availability and disaster recovery, but they take shortcuts to save money, resulting in single points of failure and poor disaster recovery. Vendors should commit to these things in their contracts and publish these commitments on their websites.
As businesses in all industries transition to the cloud, it is crucial to ensure that your data will be safe when disaster strikes. I encourage all types of businesses to use these best practices and tips as a checklist when discussing disaster recovery and security with current or potential vendor partners. Leveraging the cloud can significantly enhance the way you conduct business, but you must first take these precautions to protect your business and yourself.
Chris Seib is the co-founder and CTO of InstaMed, the leading Healthcare Payments Network. Prior to InstaMed, Chris was an executive in Accenture's Health and Life Sciences practice, focused on architecting and delivering portal and connectivity solutions. Additionally, Chris has managed multi-project initiatives such as eCommerce development, software application development, and operations. Chris has certifications and expertise in programming, architecture, Microsoft technologies, database technologies, networks, network architecture, security, and project management.