Healthcare is in the midst of an IT explosion. Big Data, telemedicine, and AI are all changing how patients receive care. This has made the healthcare industry a very lucrative market for cloud service providers to pursue. It can be difficult to break into though. You need to understand the unique challenges of that industry and how they affect their interest in ITaaS.
Most hospitals and other healthcare organizations will see both operational and fiscal benefits migrating to cloud services. But the leadership in many of these orgs remain skeptical about utilizing third-party IT services given the heavy regulatory burden placed on electronic patient data. And the hefty fines that come with non-compliance.
How much could you save with a cloud solution? See the savings you could make with our online calculator
While healthcare IT can be complex, the key concepts you need to know all revolve around managing patient data. Let’s take a look at 4 particular industry acronyms. Understanding them will give you a good handle on what matters most in healthcare IT. Once we’ve covered those fundamentals we can discuss how to approach prospective customers in the industry.
When it comes to helping healthcare businesses manage data, one thing matters above all else: Protected Health Information. PHI is the legal term for a broad range of individually-identifiable pieces of data collected during patient care and administration. It includes medical histories, lab results, patient demographic information, and insurance information.
ePHI is the acronym used for electronic (digital) PHI, and includes any PHI “produced, saved, transferred or received in an electronic form.” ePHI is what’s going to come up the most in conversations with customers.
In the US, the primary Federal law regulating how PHI must be handled is HIPAA.
This is the Health Insurance Portability and Accountability Act. Full details about HIPAA are available on the Health and Human Services website. For our purposes, the two parts of HIPAA that matter most are the Security and Privacy Rules. The Security Rule describes measures that must be taken to prevent unauthorized access to PHI. The Privacy Rule describes how hospitals, insurance agencies, and other healthcare orgs are allowed to share and use PHI.
Notably, neither Rule dictates specific technologies or technical standards that must be applied. That’s left to healthcare orgs or their IT service providers. More on this point under the HITRUST section below.
The stakes are high for maintaining HIPAA compliance. Penalties for non-compliance, namely patient data breaches, regularly climb into the millions of dollars. In fact, 2018 was a record-breaking year for HIPAA fines, with a total of $23.5 million-worth handed out. The single largest penalty, $3 million, was given to California-based Cottage Health for two breaches that occurred in 2013 and 2015.
Under HIPAA, any organization that handles PHI to conduct business is a “covered entity” that is bound to abide by the Security and Privacy Rules. If you work with a customer who’s a covered entity you’ll be required to sign a HIPAA Business Associate Agreement to manage and administer ePHI on their behalf.
The HHS site has a wealth of resources, including a sample BAA you can use if you’re working with a healthcare org that doesn’t have one handy.
If you work with Canadian customers the relevant national law is PIPEDA, the Personal Information Protection and Electronic Documents Act. This carries similar security and privacy provisions to HIPAA, but it’s important to know that it permits greater control at the provincial level, whereas US states are all equally bound by the Federal regulations in HIPAA. The Office of the Privacy Commissioner of Canada website has details on all provincial variations. Of note, all Canadian provinces, with the exception of British Columbia and Nova Scotia, allow health data to reside in the United States. Which is useful to know when determining which IT resources are viable.
These are Electronic Health Records, some of the most sensitive ePHI that you can be asked to work with. EHRs hold a patient’s entire medical history, including diagnoses, medications, radiology images, immunization records, and test results. One defining feature of EHRs is that they’re designed to be easily shareable between healthcare providers, such as between a general practitioner and a specialist, or a private practice and a pharmacy. This means EHRs will need to be easily, but securely, accessed by all involved providers.
EHRs are critical to the performance of modern healthcare, and also possibly the most challenging to properly manage. Fortunately there is guidance available.
4. HITRUST CSF
One of the main forms of guidance is the HITRUST Common Security Framework. This is a “prescriptive set of controls” for complying with HIPAA and also other major regulations. This framework gives Partners and covered entities actual technical guidance they can implement. The CSF is designed to be very adaptable. It sets baseline controls, but leaves room for entities to customize security measures, or develop alternatives, based on their specific size and organizational type.
Talking Points & Take Aways
One of the main platforms that SherWeb Partners can leverage for healthcare customers is MS Azure. While Azure environments aren’t HIPAA/PIPEDA-compliant ‘out of the box,’ it is fairly easy to provision them according to the HITRUST CSF using an Azure Blueprint. In many instances O365 and Microsoft Dynamics tenants can also be provisioned for healthcare orgs seeking HIPAA compliance.
When discussing cloud service options with healthcare customers there are some important points to make. Generally, these customers care most about:
- Service Availability—Lives are literally at stake in this industry
- Cost Effectiveness—Revenues are volatile and margins tight in the healthcare industry, which both make the predictable expenses of cloud services attractive
- Scalability—All of the latest IT trends noted up top require significant amounts of infrastructure to spin u
These are all things that cloud services are generally designed to address. And here are some specific industry problems that might be pain points for your healthcare customers:
- Unpredictable ongoing infrastructure costs and CapEx expenditures
- Lack of local knowledge on complex compliance issues
- An inadequate disaster recovery program
- Complex local IT environments inhibiting new project rollouts
- Understaffed IT departments—Managed cloud services solve staffing problems too
We’ve found that the best way to develop business with healthcare orgs is to fully embrace the role of ‘Partner’ and be a collaborator that helps them figure out which of their IT systems and infrastructure can safely be siloed outside of their own organization.
Healthcare businesses are also more likely to prefer being hands-on with their cloud-based services. Control matters a lot to them, and ‘black box’ IT services that other industries see as a convenience are scary to healthcare orgs.
Compliant IaaS options that you can help them build from the ground up are likely to be more attractive than either SaaS or PaaS offerings, since they can assert more of that control. Of course there will always be exceptions, but this is a good starting point when beginning talks with a healthcare prospect.
While healthcare IT is a complex field, and there are many things to be aware of, SherWeb Partners might be some of the best-positioned providers to enter the market.