In the second part of our series on navigating the challenges of bringing healthcare data to the cloud, AuntMinnie.com provides suggestions from attorneys Melissa Markey and Margaret Marchak on vendor selection, contracting matters, and disaster recovery. For part 1, click here.
If you've thought it all through carefully and made the difficult decision to move to the cloud, it's important to find a vendor that you're comfortable with for the long-term, said Melissa Markey of law firm Hall, Render, Killian, Heath & Lyman. Issues to consider include whether the cloud is a public, private, hybrid, or community cloud. Community clouds are entities that have similar regulatory obligations and similar use cases, and are likely a better fit for healthcare, she said.
"Public clouds make their money on having really flat operational characteristics; they don't like to negotiate their contracts," Markey said. "Everybody is treated exactly the same. They don't change their configurations and it's truly utility computing. That typically doesn't fit healthcare terribly well, particularly when you're talking about sensitive data."
Private clouds can be great, but they often do not provide the utilities of scale and efficiencies anticipated from cloud computing, Markey said.
"Community clouds, wow, that's where we are really leveraging the unique capabilities that we need in healthcare," Markey said. "And if we have a vendor who knows how to do it right in a community cloud, that's where we can really have a real win."
Prospective cloud users should look at a cloud vendor's capitalization, length of time in business, service record, and whether it's willing to contractually commit to reasonably acceptable performance terms, according to Markey.
Many different groups should be involved in the vendor selection process, including risk management, procurement, process improvement, compliance, IT security, internal control/audit, and legal, Markey said.
"What's becoming increasingly important is your clinical team, because they are going to have to use it, massage it, and be able to live with it," Marchak said.
Due diligence should be performed on the vendor, such as finding out if it's a large company or a small start-up that's leasing space on a bigger company's network, Markey said. Also, find out its policies, procedures, and insurance information, and determine the laws and regulations of the applicable jurisdiction.
Contracting matters
After the cloud vendor has been selected, it's time to negotiate the contract. The services contract should define data rights and ownership, the location of the data, security expectations, service level expectations, and remedies, as well as audit, compliance, and e-discovery requirements, she said.
"In many ways, this is going to be an outsourcing contract on steroids," Markey added.
Request-for-proposal (RFP) responses should be built into the contract and become part of the performance expectations, she said.
Institutions need to protect themselves by arranging for indemnification, insurance, warranties, reporting, and meetings with the vendor account executive, Markey said.
All good things come to an end, so a plan for termination and transition should be part of the contract negotiation, she said. In addition, it's important to define what kind of notice will be needed to transition to another cloud solution. Details for return of the data should be discussed.
"In order to avoid the breakup, trying to be as flexible as you can with some of these contract provisions will permit you and your vendor partner to grow and react to continuously changing security environments," Marchak said.
Be aware of warranty disclaimers and limitation-of-liability paragraphs because they may be trying to take away protections you may need, Markey said.
"Go through them very carefully and make sure that those disclaimers make sense because there are some things that they just can't disclaim," Markey said.
Service-level agreements
Many warranties can be converted into service-level agreements (SLAs), Marchak said. However, SLAs in the cloud shouldn't just be a means to hit the vendors with penalties, but rather a way to provide more performance, according to Markey.
"Make SLAs a means of managing, controlling, and ensuring performance," Markey said.
Availability and performance are primary concerns with cloud computing, especially because no vendor has complete end-to-end control of its availability and performance in the cloud, Markey said.
"You have to work really closely with your cloud vendor to make sure you can maintain availability and performance at acceptable levels," Markey said. "That means you have to be really clear about how many users you are actually going to have on the same system at the same time."
And don't forget about other bandwidth hogs that you are probably not thinking about, such as iPads and iPhones, she added.
Scalability is one of the biggest advantages of cloud computing, and it's important to define how quickly scale can be added in case of events such as natural disasters or other triggers of mass casualties, she said.
Components to consider include application uptime, latency, and what matters most to your business, Markey said.
SLAs for cloud services should cover notifications of security threats, privacy breaches (both regulatory and nonregulatory), and data protection/release issues.
As for downtime, institutions should review the vendor's downtime standards and figure out how an outage/downtime is measured and what automated monitoring method is used, she said.
No downtime may be acceptable for mission-critical software such as electronic medical records, Markey said. Increased uptime usually means increased costs, but it's important to have resilience built in to maintain availability.
She noted that distributed denial-of-service attacks are an increased risk in the cloud, simply because you have some "neighbors" in the cloud that some people might not like.
As for remedies in the SLA, Markey recommends that customers focus not on penalties, but on more bandwidth to ensure service availability.
Disaster recovery
Because the cloud is subject to the same disasters as standard data centers, the cloud provider needs to have a disaster recovery or continuity-of-operations plan for such catastrophes, Markey said. However, there are also disasters that are unique to the cloud, such as the lack of connectivity or loss of telecommunications.
"Think about how the cloud provider handles disaster recovery and continuity of operations, and you need to be very comfortable with that," Markey said.
Also, be aware that cloud and cohosting providers have had computers seized by law enforcement, including computers at both data centers at the same time, she said.
"There goes your primary site; there goes your secondary site," Markey said. "Who has your data? It's with law enforcement. So how are you taking care of your patients?"
Always make sure that you have a copy of your data, she added. The other alternative is for the cloud provider to have a contract with an unrelated third party to have a copy of your data in addition to what's stored at the primary and backup sites.
A disaster recovery plan isn't viable if it isn't realistic for healthcare or if it isn't triggered when it needs to be, Markey noted.
"We can't limp along for 24 hours while [they] decide whether it's really a disaster or not," Markey said. "You need them to accommodate a disaster that affects you disproportionately."
Contract management
The perception that using the cloud will obviate the need for IT staff is inaccurate, according to Markey.
"Someone has to manage this thing," she said.
These tasks include monitoring performance metrics, increases and decreases of assets, security, standardization and automation, and compliance, Markey said.
Having a cloud services agreement is a relationship, and like any relationship it takes work. As such, governance provisions are critical, with the contract specifying how governance will be approached and an escalation process for disputes.
"You need somebody who has a relationship with an appropriately senior person at the cloud vendor to talk with them, to work with them, to have meetings, and to coordinate major activities and strategic needs," Markey said.
