Do You Know Where Your Cloud is? Data Recovery and Backup for Healthcare
A single maxim governs the voluminous amount of personnel, financial and federally protected patient data that flows through VITAS® Healthcare’s technology infrastructure every single day: As we insure the security and privacy of all of our data, we also have to keep the business running 24/7.
Every large corporation understands that doing both is a massive undertaking.
As the nation’s leading provider of end-of-of life care, VITAS faces the technological and geographic challenge of protecting, storing, backing up and accessing what amounts to terabytes of data each day–data that originates from two corporate offices, three call centers, and 47 hospice programs located across 14 states and the District of Columbia. Federal Health Insurance Portability and Accountability Act (HIPAA) protections also govern the privacy and security of our patient records and data.
In response to these challenges, VITAS has adopted a hybrid cloud infrastructure for data backup and recovery. It is defined by a private data cloud and a public data cloud that are managed remotely through a combination of on-brand applications, off-brand applications, separate technologies for local backups and a unique-to-VITAS insistence on the geographic security of all or our data.
A VITAS Clause: All Data Stays in the US
The VITAS technology team was aware from the launch of our data backup and recovery planning that we needed an answer to the question: “How do we protect all VITAS data stored in the cloud?” Unlike many healthcare providers who operate primarily locally or regionally, VITAS operations stretch from Connecticut to California, Delaware to Florida, and Illinois to Texas. VITAS data originates from more than 12,000 employees, 8,000 of whom provide hospice care from company-provided iPhones or iPads that contain charts and sensitive data on more than 18,000 patients a day.
During our search for cloud-based vendors and technology providers, the VITAS team insisted on and negotiated enterprise-level contract language from vendors such as AT&T, Microsoft and VMware–language guaranteeing that VITAS data stored and transferred within the cloud remains within the United States and is never transmitted through or stored in non-US locations. Given current global threats to data security, VITAS insisted on the US-only language as a necessary layer of added protection.
Other security measures in our data backup and recovery plan include:
• Replication of all VITAS data, ensuring that in the event of a disaster or data loss, recovery is never longer than 15 minutes.
• Prohibition of a bring-your-own-device policy; all mobile devices used for VITAS work and patient care are provided and managed by VITAS, with device encryption provided by VMware’s AirWatch technology.
• Internal- and external-facing firewalls that are managed by different vendor technologies.
• Additional layers of protection against unlawful data penetration and access.
• Recent completion of a software-defined data center–a “virtual infrastructure,” so to speak–that securely extends computing, servers, networks and data into the cloud.
VITAS Insights on Technology and the Cloud
Throughout our healthcare company’s adoption of the cloud for data backup and recovery, several key tenets and recommendations have influenced our strategy and decisions:
• Insist on security as the guiding principle–not an afterthought–when migrating data to the cloud. Understand the volume of data involved, including how much data must be transferred and transmitted as part of a cloud implementation. Ask difficult questions about additional layers of cloud security and who is responsible for providing and paying for them. Always encrypt data at rest (on servers) and in flight (during transmission).
• Adopt and enforce a well-defined security policy, whether your industry is governed by industry standards or state/federal/international law. A security policy makes clear to employees, customers and other stakeholders that your enterprise takes security seriously, and it provides a needed level of protection in today’s data-intense environment.
• Choose a reputable cloud provider that keeps all data secure and provides transparency about geographic transmission and storage (e.g.,which countries/locations) of data.
• Maintain excellent communication among members of your technology security team, IT infrastructure team, compliance team and application development team. All must embrace the priority of protecting company data (internal, customer, patient, vendor, etc.).
• Consider the human factor involved in technology. Insist on multi-factor authentication and limit access so that employees who use technology/data or move/transmit data are given access only to the particular tasks they must accomplish or the data they need, based on their credentials; never give individuals access to more data/actions than their specific role requires.
On the horizon is what VITAS calls “elastic computing,” an infrastructure that blurs the lines between the private cloud, the public cloud, edge computing and multiple-cloud computing. The day is coming when the cloud will become a service commodity and the companies that rely on the cloud will use multiple providers to execute it.
VITAS, for example, relies on Oracle for some functions, on Microsoft for dynamic customer relationship management, on Amazon, Cohesity, QNAP and other vendors for various types of cloud backup and data storage. The goal is to make elastic computing seamless, so that neither the employees who are using technology to do their jobs, the patients who receive our care nor the healthcare providers with whom we partner are aware of how the technology works.
Like VITAS, they are focused on technology that works seamlessly…and the assurance that their data is always secure in the cloud.
Check Out: Top Cloud Consulting/Services Companies