Let's assume, for the purposes of this article, that you are the compliance officer for your organization. Further, let's assume that for the good of the organization (and your own job) you have decided that it is high time you have that dreaded conversation with your boss regarding HITECH / HIPAA compliance, and how the organization could be found in "willful neglect" if it doesn't update its long since outdated HIPAA compliance initiative.
You can read the entire article here. You can read archived articles here.
This article discusses a number of HIPAA misconceptions that keep coming back like the proverbial "bad penny." Compliance with the regulations is far from trivial, however it is not nearly as complex or expensive as some in healthcare would have you believe. There are too many healthcare stakeholders that would rather delay, defer, or refuse to comply altogether. The industry as a whole would be far better off embracing the fact that privacy and security are now a cost of doing business, and simply get on with it.
I host my blog, my law firm's website, and other "web properties" using Typepad. Typepad is software-as-a-service ("SaaS") content management system that I have been using now for close to a decade. In that entire time I can recall the service being down perhaps a couple of times. That is really an amazing "uptime" track record! However, this week Typepad was attacked by a criminal organization (i.e. they asked and Typepad refused to provide "ransom money") using a distributed denial of service strategy.
As an attack strategy it proved quite effective. Typepad was down hard for two days for all our properties, and down for three days for a specific property that required a "special fix." In short, when your SaaS provider goes down it is going to ruin your day and it may even stop your business dead in its tracks. The property that needed a "special fix" was the HSG Store. It obviously costs us some revenue. Further, we had no good way of notifying potential users that we were down and, therefore, the brand also takes a "reputation hit." The HIPAA Survival Guide is hosted using a different service and it remained up and continued to send traffic to our temporarily non-existent Store.
What is the moral of the story here? Sometimes it rains in the Cloud and sometimes there are really bad thunderstorms. AND, sooner or later, lightening is going to strike and bring your Cloud to it knees, of no use to you or any of your customers. Typepad was attacked precisely because it has millions of users. Smaller providers simply don't usually warrant this kind of criminal attention. That is the bad news. The good news is that Typepad's business depends on its service being up, and you can rest assured that its employees worked 24/7 until the service we restored.
A Cloud thunderstorm could cause
the mother of all floods to your practice...
So is this an argument for going with a smaller SaaS provider that may be less susceptible to this kind of attack? NO! Why? Because smaller SaaS providers generally don't have the world class talent necessary (and money) to respond effectively when something REALLY BAD happens. AND, Murphy being Murphy, some thing REALLY BAD happens a lot when sophisticated technology is in use. There are a million and one things that can make something bad happen to a SaaS service and Murphy never sleeps. The bottom line is that a DISRUPTION to your Cloud service is going to happen, it's just a question of time and a question of how you will respond.
As more and more healthcare providers take advantage of the Cloud's compelling economics, we are going to see this issue play out over and over again. Unfortunately, like all wicked problems, there are no silver bullet solutions that will be make this monster go away. If you are hosting your EHR on the Cloud, then the best you can do is ensure you have some technical and contractual solutions in place in case your Cloud goes down AND refuses to come back in any meaningful period of time. You also better be confident that your Cloud partner is in it for the duration, because otherwise a Cloud thunderstorm could cause the mother of all floods to your practice.