In a white paper published by ClearDATA, it lists some of the most important criteria to consider when selecting a hosting provider to move your applications to cloud:
• Locations:
Where
will data need to be hosted, and how far away should it be? Should data be
replicated to another data center facility? Will they be located in different
disaster zones? How far away should it be from the primary site?
• Virtualization needs:
Ensure that physical servers and a Storage Area Network (SAN) will
be provided for any virtual server environment Verify that data is not
accessible to any other organization and that security measures are taken to
protect this environment from vulnerabilities. Data must be protected in
accordance with HIPAA regulations.
Inquire about the availability of a “single pane of glass”
management console to connect and manage virtual servers. Be sure that the
virtual environment offers high availability features so that no business
disruption occurs so that virtual servers will continue to operate in the event
of a physical server hardware failure. Be sure of the ability to procure a new
virtual server on demand, and ask for load balancing across physical servers to
maximize performance
• Make a checklist of facility requirements. Among them, be
certain:
Find a Tier III data center that is SOC II and III and SAEE
16-certified, as well as HIPAA and PCI compliant. These certifications provide
proof that the service provider has documented security processes that are
followed strictly and completely auditable. Ask about service-level agreements
(SLAs) and up-time records for platform, network, and storage availability. Find
SLAs that speak to the main components of availability: security, network,
cloud platform, and storage. An SLA needs to be a guarantee, as well as
something that can be reported on.
• Dive deeply into service capabilities: Healthcare organizations
have to work around the clock, and so does the hosting provider. Ask for
24/7/365 service capabilities and ensure that your service provider can meet
your response times.
• Storage needs: The SAN should be available 100% of the
time, excluding scheduled maintenance. In the event of any hardware failure,
the hosting provider should have a technician with appropriate parts available
onsite within six hours, or the service provider should credit your
organization for a portion of the cost of your downtime.
• Data backup and restore: Understand the backup process,
frequency, and retention periods. Do they work with your controls? How flexible
are they? Understand how backups are validated.
Instead of relying solely on test restores, request continual
reports of successes and/or failures and gain to a log of success versus failed
backup jobs to drive best practices.
• Pay attention to monitoring and response: All servers
should be monitored by at least six ports, and gauged on key performance metrics.
• Select a service provider
that can support multiple models: Most cloud service providers should be
able to provide several options:
- A private cloud, the most expensive option, is one in which the
services and infrastructure are maintained on a private network. These clouds
offer a high level of security and control, but they require the company to
purchase and maintain all the software and infrastructure, which leads to
somewhat higher expenses.
- A public cloud shares space with other organizations. Note that
this is the most cost-effective alternative, but public clouds are often not
the most appropriate option for healthcare organizations due to security
concerns.
- A hybrid cloud includes a variety of public and private options
with multiple providers. By spreading things out over a hybrid cloud, each
aspect of the business can be kept in the most efficient environment possible.
The downside is that IT managers have to keep track of multiple different
security platforms and ensure that all aspects of the business can communicate.
Hybrid clouds are often good choices when healthcare organizations want to set
up a virtual private network (VPN) behind their firewall. Or, perhaps a medical
institution wants to use a public cloud to interact with patients but keep
their data secured within a private cloud.
- A multi-tenant private cloud is a good option for healthcare
institutions because it balances reasonable costs with high security. A
multi-tenancy architecture can take advantage of virtualization and remote
access. A software as-a-service (SaaS) provider, for example, can run one
instance of its application on one instance of a database and provide web
access to multiple customers. In such a scenario, each tenant’s data is
isolated and remains invisible to and secure from other tenants.
Be sure to choose a provider that will:
• Sign a HIPAA Business Associate Agreement and be HIPAA
compliance experts • Support a SOC2, SSAE16 and HIPAA-compliant • Provide set
response times, depending on the risk to your organization (emergency, urgent,
standard, and so on) • Provide extensive healthcare cloud computing managed
services
• Deliver 24x7x365 live healthcare-level support
• Offer industry-leading healthcare-specific products
• Exhibit exceptional data center, cloud hosting, and cloud
managed services
• Be flexible and provision additional services as necessary, such
as initial cloud services setup and provisioning and additional Internet
bandwidth
• Be exclusively focused on the healthcare industry. Healthcare IT
is a complex and regulated environment with its own language and high
criticality up-time, redundancy, and security requirements.