Home
From Wikibon
Peer Incite: Grant, a Sr. Storage Admin at a large bank discusses how heterogeneous storage virtualization can help reduce the budget for 2009.
WikitipHeakthcare IT and the CloudOver the last few weeks I've been hearing a lot of discussion around HIPAA. When we speak about HIPAA, invariably the two components of data security and data privacy arises. In the traditional data centers, database managers and data owners know where their data resides and implement the necessary processes to preserve privacy and audit access. However, when we move to the cloud, the cloud being all about data, we are looking at servers, network, and storage that are abstracted. This raises concern that data owners may not necessarily know where their data sets physically reside and we are looking at Cloud Service Provider (CSP) employees who will be handling confidential patient data or Personally Identifiable Information (PII). Of importance here is that when it comes to leveraging the cloud ecosystem for healthcare segments, the foremost concerns are around HIPAA and the HITECH Act compliance capabilities and meaningful use provisions. So what is meaningful use? According to HealthIT.gov "Meaningful use is the set of standards defined by the Centers for Medicare & Medicaid Services (CMS) Incentive Programs that governs the use of electronic health records and allows eligible providers and hospitals to earn incentive payments by meeting specific criteria." The goal of meaningful use is to promote the spread of Electronic Health Records (EHR) to improve health care in the United States. Benefits of meaningful use of EHRs include:
In the U.S. healthcare world, organizations are positioning to attain meaningful use. This to capture the incentives allocated by the U.S. federal government as well as to ensure that reimbursements do not face jeopardy for providers not in line with the meaningful use provisions. As healthcare practitioners and organizations increase the use of technology solutions in delivering clinical care, their IT departments are faced with additional stress to provide availability on demand and operate data centers approaching 99.999 percent availability. In most cases this is a major challenge that can lead to the risk of unscheduled outages and costly solutions. Assuring high availability for healthcare applications means meeting uptime requirements, and in today's environments will require access to more than one data center. This can significantly impact the overall capital investment in data center infrastructure for healthcare organizations. Looking to the cloud as a solution is not only the next step in services but will ensure high availability of clinical applications. This will allow a healthcare organization to leverage the expertise and financial stability of an established CSP. Another advantage of leveraging a cloud ecosystem, is that of rapid provisioning and deployment, with the ability to change compute capacity as demand changes. Thus in the event of failure, server instances can be seamlessly moved to alternate hosts or in anticipation can be clustered to provide redundancy. Some may ask whether it is risky to transfer data from site to cloud. The answer is no, as a majority of organizations move data over the Internet via encryption channels. Where we can see concerns arising is with the hand-off of data into the (CSP) environment. In a seamless environment, all data will have site-to-site encryption up to and including storage. Where we can see some separation is with healthcare application vendors support. In the cloud, it is a given that we can have a number of people with access to the physical servers and storage that cloud consumers have no control over. For an IT security person this will elicit conflicting concerns, as on one hand there is the presupposition that complete control is being relinquished, which can only be assured with prescriptive precautions defined by a CSP. The cloud computing ecosystem is still evolving and still lacks industry-wide certifications. As we mature within this ecosystem, the intent is to drive toward processes, best practices and certifications which would provide legal protection that can reduce the complexities of a long negotiation and complex SLA requirements. Within a regular data center or even a small IT shop, as an IT security leader one of my first expectations for any shop is some form of centralized logging with automation. Similarly by transferring such a mindset into the cloud ecosystem (they are after all data centers) any healthcare customer security leaders expect the assurance that detailed reporting is a given. Having worked on the security strategy and assessment separately for a few cloud computing projects, I have seen first-hand that access rights was a major focus. In light of this, it is not a complex process to segment solutions for healthcare. As a result any access to servers and storage dedicated to a healthcare customer by anyone within a CSP organization will be logged and thus can provide the assurance of controls around access. From a legal perspective, more specifically talking contracts, healthcare customers expect the provision of strong financial penalties to indemnify against a breech as well as to hold the CSP accountable. Some CSPs are moving to providing a HIPAA Business Associate Agreement (BAA) for their healthcare customers. The assurance provided by their BAA demonstrates meeting the compliance requirements (enabling the physical, technical, and administrative safeguards required) of the HIPAA and the HITECH Acts. In closing, I will state that HIPPA compliance and cloud computing do not have to be in conflict. Rather healthcare entities can leverage the benefits of the cloud, coupled with the necessary due diligence and legal contracts to meet their needs. |
Featured Case Study
Virtualization Energizes Cal State UniversityJohn Charles is the CIO of California State University, East Bay (CSUEB) and Rich Avila is Director, Server & Network Operations. In late 2007 they were both looking down the barrel of a gun. The total amount of power being used in the data center was 67KVA. The maximum power from the current plant was 75kVA. PG&E had informed them that no more power could be delivered. They would be out of power in less than six months. A new data center was planned, but would not be available for two years. |
|
Featured How-To Note |
Storage Virtualization Design and DeploymentA main impediment to storage virtualization is the lack of multiple storage vendor (heterogeneous) support within available virtualization technologies. This inhibits deployment across a data center. The only practical approach is either to implement a single vendor solution across the whole of the data center (practical only for small and some medium size data centers) or to implement virtualization in one or more of the largest storage pools within a data center. | |||
