Health IT practitioners point to a number of reasons why Health IT should remain the sole responsibility of the health provider. But what about the reasons in support of moving some of those functions to the cloud? Those topics are rarely discussed within healthcare circles, often only heard during sales pitches motivated by the potential closing of a lucrative deal. The motivations for cloud-based Health IT are much deeper than superficial capital impulses, however, and are a matter of efficiency and expertise. We won’t discuss all of them here, but instead will speak to five reasons directly related to the security of health data.
First and foremost, technology is managed by people. Not just anybody, but people who have deep knowledge of its operation. A cloud provider (i.e. a qualified business associate) will hire employees only with extensive expertise in their technology areas. It is surprising to some that good IT employees are hard to find, and cloud providers stake their businesses on those employees. Cloud providers will competitively select the best candidates and subject them to periodic training to ensure the employees’ skills remain fresh.
Secondly, off-site IT operations are wrongly perceived as a problem. How many data breaches have resulted from cloud provider system administrators storing backup tapes at home? How many clouds have gone down as a result of power loss at a customer’s facilities? How many security incidents have been resolved because a department manager has been in the same building as the health organization’s data center? Off-site IT operations are designed and operated to handle these issues before they become problems. There can be more risks to managing IT on-site than off-site.
What about auxiliary services like backup and recovery, encryption, threat monitoring, anti-virus, load balancing, graceful failover to redundant sites, and so on? For a qualified cloud provider, these are plug-and-play services ready to be applied at the customer’s request. The services are already configured, ready for provisioning within a week or two. Compared to the months-long budgeting, planning, implementation, and verification of home-grown IT operations, a couple of weeks seem instantaneous.
A significant factor often overlooked as a security concern is capacity: when capacity limits are reached, critical data can be destroyed or processing requests can be denied. The cloud could easily be defined by the idea that its resources are effectively boundless. Scaling up processing power or storage space is simply a matter of request instead of (again) budgeting, planning, integration, and verification.
Finally, just as healthcare never sleeps, neither should health IT. Qualified cloud provider sites are staffed 24/7/365 and monitored to address potential incidents, whether they are security-related or operational. Cloud provider personnel will proactively evade potential events through IT health monitoring, applying patches and updates to managed infrastructure, and auditing services (like redundant power and environmental controls) to maintain smooth operations.
Qualified cloud service providers know their businesses hinge on their ability to provide world class services to the most demanding customers. Health IT is no exception.