Health IT tips for cloud computing
For Greensboro Radiology, the move into cloud computing wasn’t just to cut costs. It was a way to make money.
Stephen Willis, who was CIO for the Greensboro, North Carolina-based firm, said that it was typical to receive more than 300 document requests per month just from attorneys. Greensboro Radiology complied and mailed the documents along with a bill for $10 per request. The law firms never paid.
Willis said that the solution was electronic. The data was already stored electronically. Documents could be emailed to law firms — if they paid the $10 fee first.
Greensboro Radiology moved into the cloud last year. The firm had long believed it needed to have the data to manage it, Willis said. But as the amount of electronic data grew, a move to the cloud made sense. Having the data on a remote network of servers that are accessible to Greensboro Radiology gives the firm the ability to scale quickly as needed. Willis is now CIO for Canopy Partners, a company spun off of Greensboro Radiology this year to provide technology and management services to physicians and hospitals. He spoke at a cloud computing workshop held at the annual conference of the North Carolina Healthcare & Information Communications Alliance. If you’re thinking of moving your health IT into the cloud, here are some things to keep in mind:
It’s not enough for service-level agreements, or SLAs, to outline what services the cloud vendor will provide. Agreements must also state what the vendor will do when something goes wrong, said Mary Beth Johnston, an attorney in the law firm K&L Gates‘ Research Triangle Park, North Carolina office. The agreement should state specific parameters and minimum service levels for matters such as service availability, performance and response and error correction times. Something going wrong doesn’t necessarily constitute a contract breach. But downtime could mean the vendor offers you credit for the time you were unable to operate. “There needs to be specific remedies if they don’t meet the standards,” Johnston said.
Asif Choksi, CEO of Toronto, Canada area e-security firm nKrypt, said it’s important to conduct annual SLA reviews. Look at other SLAs and compare vendors. These agreements are changing all the time and the changes are indications of where cloud computing is going, Choksi said.
It’s important that your systems are audited frequently to check for problems. An independent auditing system is more legitimate than your own, Willis said. But it’s not enough to conduct audits. You also need to follow the recommendations. Besides auditing, Willis said Greensboro Radiology schedules ethical hacking on a regular basis. At least once a year, the hacker hired by the firm will try to compromise the company’s systems. Not all threats are electronic. Ethical hackers look for other breach opportunities: “That includes walking through the front door,” Willis said.
Where is the data?
Yes, your data is in the abstract concept known as “the cloud.” But those servers are somewhere. Privacy laws vary from state to state and you need to know that you can comply with them, Johnston said. You should also check where a vendor backs up its data, Choksi said. Even if a cloud vendor keeps your data in domestic servers, the backups might be overseas. Data that’s overseas is almost certainly subject to different laws, Johnston said.
Questions to ask vendors
Choksi, of nKrypt, has a bunch. How are logs collected and maintained? You want to know not only if you’ve been hacked, but also if someone has tried to hack you. Have you had any breaches? Just because a vendor has had a breach doesn’t make them a bad vendor. The key is the follow-up question: What have you done about it? What kind of certifications do you have? Cloud computing is changing all the time, so you need to check to make sure that the vendor is keeping up. What is the uptime? 99.9 percent translates into 8.8 hours of downtime; 99.99 percent means 53 minutes; 99.999 is about 5 minutes. Here, again, the follow-up question is important. Was that downtime for maintenance, or was there another reason?