Tuesday, March 26, 2013

The Reality of SaaS

Recently I was asked if SaaS/Cloud computing is appropriate for small practice EHR hosting.

I responded

"SaaS in general is good.

However, most SaaS is neither private nor secure.

Current regulatory and compliance mandates require that you find a cloud hosting firm which will indemnify you against privacy breeches caused by security issues in the SaaS hosting facility.

Also, SaaS is only as good as the internet connections of the client sites.   We've had a great deal of experience with 'last mile' issues"

To add further detail, Bill Gillis, the CIO of the Beth Israel Deaconess Care Organization (BIDCO) responded

"We built, manage & maintain our own private cloud in a Co-location facility.  Our EHR cloud is served to the practice via public internet over SSL. One challenge we struggle with is ISP availability and service level/stability.  In Metro Boston one would expect a robust internet infrastructure.  We've found heterogeneous public internet capabilities and quality of service.  We've found that getting a good ping response is not truly an indicator of meeting application performance requirements.  Many cloud hosted applications are sensitive to latency, packet loss, fragmentation & jitter.

In the first year of our project deployment we struggled because the ISP connectivity did not appear to be the culprit.  A practice would have 10+ megabit connections with ping returns under 25ms.  Yet the practice would experience application freezing, crashes or very poor/slow response time.  From the public ISP's perspective 'the lights were green' and they would take no further action.  After engaging third party network sniffing firm, we discovered the real culprit impacting performance - network latency.  We were able to take the data from that engagement back to the ISP to illustrate the problems with the packets in transit.

Implementing network sniffing engagement was time consuming and costly.  Doing this for the 100+ practice locations we were supporting is not sustainable.  Luckily we found a company in Boston called Apparent Networks (now called Appneta).  Appneta makes a small, low cost black box application that provides deep and detailed network data back to a secure cloud.  We place a device in a practice that communicates back to a device we keep in our hosted/central site.  The devices continually communicate with each other and log all of the various degrees of network performance up to the cloud.  The best part is we preconfigure the devices and mail them to the practices reporting issues.

 All the practice staff need to do is provide power and plug it into an open Ethernet port.  This saves us from deploying a technician on-site.  Since we first deployed these devices we've been able to get to the root cause of performance issues and resolve them rapidly.  We've been able to identify everything from an ISP charging for a certain level of bandwidth while only providing 1/2 that speed to staff streaming media during high volume hours saturating the local router.  The performance data is stored in the cloud indefinitely.  This give us a longitudinal view of the network/internet connectivity for a specific practice.  Recently we were able to avoid a potential issue by noticing that a practice's connection stability was slowly degrading over the past year.  We were able to work with the ISP to discover they had an issue with a local Central Office/substation.  The reality is most ISP's are not that willing to work with us until we show them the data.  Once we have the smoking gun, they tend to dig deeper and work with us to resolve the problems.  For all the high-tech equipment we've leveraged for our private cloud, this device was the real swiss army knife of the project."

I've described Cloud Computing as "your mess run by someone else".   It can be done successfully, but SaaS is only as good as the privacy protections you purchase or build yourself.   Performance is only as good as your network connection.

I hope this is helpful.


Chris Grant said...

Can I ask what your BAA review/approval process was like with the vendor? Or have you found ways to reduce the impact to the vendor of the compliance obligations?

Unknown said...

I am responsible for the Dell Healthcare Cloud and have great interest in this topic. The last mile, indemnification, BAA, security and privacy points that you make are all very real and require specific responses. We deliver ambulatory and provider ISV systems as a service to tens of thousands of end users as part of our service offering. We conduct audits around the HIPAA and FIPS requirements, as well as guidelines, and have implemented recommendations. I would welcome more dialog if you and/or the audience of readers were interested. Topics of conversation could be the BAA and contracting process with specific mention of indemnification and limits on liability, SecureWorks acquisition integration into Cloud offerings, Network architecture for providing Dell ISP services and architectures associated to privacy options. I am based in the Boston area and would love to discuss face to face formally, or informally. #IWork4Dell

Anonymous said...

As it relates to Cloud computing, (Iaas, SaaS, etc) it really is a "devil is in the details" kind of situation. Covered Entities need to fully understand what they're becoming involved with and do a proper assessment. Don't just take the sales rep's word. As a Security professional in the Healthcare industry, I know how CEs struggle with the Risk Assessment process. If that's a challenge, assessing a cloud provider is even more challenging. Keep in mind, you need to not only evaluate the service, but where the data may be replicated for redundancy, who has potential access to your data, and a whole other mirade of issues. HIPAA enforcement outside of the US is legally problematic and many cloud service organizations utilize off-shore entities and locations. The Final Rule really should draw some attention to this. Not trying to say Cloud services can't be HIPAA compliant, but do a deep dive into the details of the service before you consider using the Cloud. The BAA is only fraction of what needs to be evaluated.