Cloud-based BCDR in healthcare: Why now?

Photo courtesy of Mercy Hospital Joplin, Jopin, MO, after being hit by a tornado

IT professionals as a group tend to be risk averse – and IT professionals in healthcare organizations doubly so, given the life-and-death nature of their world. But, amid rising demand for improved patient outcomes and lower costs, the pressure is growing on healthcare IT to be more agile and innovative. As in most industries today, “agile” plus “innovative” plus “IT” usually adds up to one thing: the cloud.

While healthcare has been slower to accept cloud services – due to worries over reliability, patient privacy, and compliance with HIPAA/HITECH regulations – the winds are shifting. Cloud services are poised to dramatically increase as the underpinning for more personalized, data-driven, patient-centered models of care. As a result, demand for cloud services in healthcare is projected to triple within five years to nearly $9.5 billion.¹

None of this means that the concerns that have slowed cloud adoption in healthcare have dissipated – reliability and security issues are still top considerations. Healthcare IT decision makers are adopting a more granular approach, weighing risks and benefits on a case-by-case basis. According to a report from Accenture, “Healthcare is learning from other industries, such as financial services, about unlocking the benefits of cloud without compromising data security.”²

And one of the first areas where healthcare IT can unlock significant benefits from the cloud is in BCDR: business continuity and disaster recovery.

The cost/complexity equation

The primary issue with traditional BCDR solutions has always been cost; building and maintaining redundant capabilities that may never be used is a significant drain on resources, particularly when cost cutting has left many IT organizations understaffed. At the same time, IT infrastructures have grown in size, range, and complexity. That makes the challenge of choosing the right back-up and recovery options even greater.

Cloud-based services tackle IT cost and complexity issues head on, providing access to a predictable, managed, outsourced set of IT capabilities. They convert upfront capital expenses to a pay-as-you-go operational expense. Enterprise customers are able to offload costs, complexity, and risk to focus on services essential to their mission.

Configuration: Cloud-based BCDR strategies give healthcare organizations multiple options, such as a traditional “hot” (or online) site coupled with a “cold” (or offline) site. Other configurations include hot/warm or hot/hot (i.e., completely parallel sites). Application failover scenarios to other locations are also included.
Employee/operational performance: Cloud-based BCDR strategies also support people. Using a cloud-based option such as a desktop-as-a-service model, employees can work from anywhere using their mobile device.
Data explosion: The amount of data in healthcare is growing exponentially. When traditional back-up strategies cannot keep up, cloud-based storage-as-a-service solutions are practical and scalable.
Load balancing: Instead of sitting idle, cloud-based BCDR is a working asset that delivers constant value and return.

A smarter approach to compliance

HIPAA and HITECH regulations are adding pressure to keep pace with escalating security and reliability requirements. Many healthcare organizations resort to blanket protection strategies such as encrypting everything – not just electronic protected health information (EPHI) but also back-office systems. The result is millions of wasted dollars each year. ³

At the same time, many healthcare organizations remain vulnerable to HIPAA audits because they lack the in-house expertise to properly deploy their enterprise applications. Most hospitals and other providers cannot produce an inventory of their information assets, determine vulnerability to security failures, or appraise the potential costs of a security breach. Nor have they assessed the impact of service disruption from a business-continuity standpoint. Besides stiff financial repercussions, these failures can seriously damage reputations and undermine the confidence of patients and partners.

Relying on the right cloud provider may produce better application performance, higher security levels, and lower costs. Distinguishing critically sensitive EPHI from back-office business data has the potential to deliver extensive financial and operational benefits.

Continuity and recovery

Cloud-based BCDR supports a shift from narrowly focused back-up and disaster recovery efforts to a more comprehensive business continuity strategy.

Disaster recovery (DR) typically includes the restoration of critical IT elements: systems, applications, network, and telecommunications. The emphasis is less on resiliency – keeping the hospital operating – and more on minimizing data loss. Complex and expensive to implement, seldom tested, and hopefully never used, these options are more akin to catastrophic insurance policies than to practical solutions for ensuring ongoing operations.

At the other end of the spectrum, the goal of business continuity (BC) is to maintain and/or recover essential services in the event of a disruption. BC is more comprehensive, focusing on all aspects of the hospital. When an unplanned downtime event occurs, the facility can continue to operate with minimal interruption, as close to normal as possible.

More granular than DR, BC goes beyond blanket, system-wide solutions. BC can mean anything from zero downtime for critical systems to carefully defined downtime/outage windows for the less critical. It addresses a wide range of eventualities from a short outage all the way through to total recovery. With BC, the organization remains operational during the period between disruption and recovery. A BC plan addresses continuity of patient care, the mechanics of moving back to paper-based systems, custody and privacy of data, and much more. And from a strictly IT perspective, BC planning is often in alignment with current virtualization strategies, wherein workloads are almost continuously in transit.

The cloud and BCDR: Keys to success

There are several key elements to a successful BCDR strategy:

Dig into your applications. As a healthcare organization, you undoubtedly have a lot of them, all with different requirements. A BCDR plan requires a full understanding of the unique needs of each one.
Get as close to the application as possible. The higher up in the stack you go, the less data there is that changes on a regular basis. This simplifies replication by shortening the timeliness of the data recovered.
Get close to your recovery site – but not too close. A second site should be close enough to minimize latency, but not so close that it is vulnerable to the natural disaster or power failure that affected the main site.
Don’t change form factors. Stick with what you know. You don’t want to be in the middle of a disaster and discover that your database server doesn’t scale as well as you thought.
Know your compliance requirements. Know where the data lives and apply controls only where they are necessary. Use workflow diagrams to map and apply the right controls. For instance, personal health information (PHI) often requires greater controls than other stored data. Applying the PHI controls to every data collection is both expensive and obtrusive.
Embrace continuous improvement. BCDR isn’t a one-time event. It requires regular reviews and updates. Each time you make a meaningful change to your IT infrastructure – adding a new application or bringing a new server online – you should update your BCDR plan. Savvy organizations routinely conduct BCDR tests, deliberately performing a failover from one data center to another every Monday morning. If a change has affected the BCDR process, they know it almost immediately.

Evaluating service providers

It’s critical to make sure cloud providers can protect your data from the network level down to physical security. Don’t just take their word for it, and don’t hesitate to suggest improvements that can, in turn, shore up your own BCDR posture. Ultimately, it all falls to you; any unmanaged disruption by your vendor becomes your problem.

When relying on any provider, get a solid grasp of that provider’s commitment to BCDR for its own facilities. After all, if the provider experiences a catastrophic disruption, your organization could experience the same disruption by proxy. And remember that while service level agreements (SLAs) are important, an availability SLA or a repair/restore SLA is not the same as a true BCDR plan.

Don’t be afraid to thoroughly investigate your vendors and partners and perform detailed audits of their disaster preparedness:

What happens to the provider’s BCDR plan when it changes environments?
Ask to speak to existing customers. What was the outcome of any service disruption, and how did the vendor perform?
What are the failover options to other data centers or even competing providers?
When and how often will the vendor/partner test the BCDR plan? Does the plan include failover from one data center to another at least twice a year?

Opportunity knocks

Any serious disruption of your operation – with the potential to ripple through admitting, clinical applications, billing, and more – is costly. But with the right BCDR plan in place, you can minimize the impact. As cloud services gain traction in healthcare, BCDR will be the application that many turn to first. Cloud-based solutions are rewriting the rules for BCDR, enabling greater levels of cost-effective protection, security, and flexibility. The opportunity is there. Are you ready to take advantage of it?

References