Verizon dangles carrot to bring cloud to healthcare

Verizon dangles carrot to bring cloud to healthcare

Summary: Verizon's enterprise unit will sign a business associate agreement---a major HIPAA roadblock---to entice the healthcare industry to go to cloud computing or at least managed hosting.

SHARE:

The healthcare industry hasn't been a big fan of cloud computing. In fact, even co-located and hosted data centers are a stretch due to security and privacy regulations. Verizon, however, aims to change that equation and just might succeed.

Verizon's enterprise unit, bolstered by its Terremark cloud computing portfolio, on Monday launched a portfolio of services designed to meet HIPAA (Health Insurance Portability and Accountability Act) requirements.

In a nutshell, health care players---payers, insurers and hospitals---will be able to host patient information in Verizon's Terremark data centers. Verizon also plans to offer co-location, managed hosting, cloud and private cloud services. Verizon's enterprise cloud services plan starts with healthcare, but can scale to other industries. 

How will Verizon court healthcare? HIPAA requirements and various providers in the industry are held together by something called a business associate agreement (BAA). The BAA dictates that each party that touches patient data is required to meet HIPAA standards. If one party in the data chain fumbles it is liable for penalties and fines.

That BAA has limited the popularity of data center hosting. Dr. Peter Tippett, chief medical officer and vice president of Verizon’s health IT practice, said the telecom giant will sign a BAA. Verizon is among the first large players to sign a BAA.

"The healthcare industry just doesn't use much hosting, co-lo or cloud computing," said Tippett. "HIPAA wasn't created in a vacuum. Healthcare people have always been worried about security and privacy. We all blame HIPAA now, but it's just a manifestation of what the industry believed. Before HIPAA no medical records were emailed either."

vz100112a

If Verizon gets its way, hospitals and large healthcare players will move toward hosting, co-lo data centers and cloud computing. Tippett said that Verizon has a few big-name parties that are interested and the response to the BAA offer has been positive. "We say we'll sign a BAA and people get giddy about it," says Tippett. "Verizon is really signing up for something to show we're comfortable with security."

The ROI for the healthcare players is fairly clear:

  • Healthcare providers can offload data center management to focus on other things;
  • Eliminate all the meetings, consultants and hassles that go with HIPAA and data centers;
  • Refocus efforts elsewhere.

There are other cost savings that are possible, but individual mileage will vary. Tippett said that Verizon's healthcare cloud services will be delivered from its Miami and Culpeper, Va. facilities. Both meet HIPAA security controls as well as PCI-DSS Level 1 Compliant Service Provider, ITIL v3 based best practices and physical clearance procedures.

Topics: Cloud, Data Centers, Health, Privacy, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • BAA not enough

    It used to be that just signing the BAA was enough to make a vendor HIPAA compliant, but now the vendor runs by the same rules a healtcare facility does. Verizon will have to provide HIPAA training to all employees who have access to that information, be able to perform audits on demand and tell their customer who accessed what information, when they accessed it and what they did with it. That's just 2 of the many rules that are in place, and while they are probably working on that and will be compliant, there's just one problem.

    If all of my data is on the cloud, what happens when the internet is down? How can I look up what allergies the patient has, when it's stored out there in the ephemeral cloud, but I can't reach the cloud? For example, there was a local disaster, and internet services were down for a day, and no electricity for about 12 hours. We ran on generator and had access to critical systems. If we'd hosted on the cloud, we would have had no historical patient data for that 24 hours where the ISP was down.

    When I'm hosting on site, if a system goes down, the information is still accessible in another system. If everything is hosted on the cloud, then nothing is available, and that affects patient care.

    The cloud looks good on paper, but you never want to set yourself up where you have a single point of failure. Your need to make sure if A goes down, that you can get your data from B and have a workaround. The cloud offers many single points of failure where you can't even get to B. I'm not convinced yet that Healthcare is a good place for the cloud except as a place to store offsite backups of the data.
    GSG
    • BAA - implies your concerns are taken care of!

      Hi,

      That is some nice analysis, but not quite correct.

      When the BAA is being signed it will imply that the HIPAA rules are followed and the organizations will impart the necessary training to the relevant staff.

      Further data centers hosting the cloud infrastructure are geared for redundancy. It can be safely assumed that in case of a localized disaster the healthcare facility will be better served by a cloud based provider than a in-house data center. I can relate a lot of stories where failure in in-house infrastructure took weeks to recover.

      Once they have the power up and running, all they have to worry about is getting on the web. Now-a-days mobile companies line Verizon can setup mobile wireless internet in disaster prone almost immediately .

      The comment lays out good points, but is wrong in presuming that the company signing the BAA would not have thought of these and will choose to ignore these and other similar concerns.
      Sachin Jain
  • BAA not enough

    It used to be that just signing the BAA was enough to make a vendor HIPAA compliant, but now the vendor runs by the same rules a healtcare facility does. Verizon will have to provide HIPAA training to all employees who have access to that information, be able to perform audits on demand and tell their customer who accessed what information, when they accessed it and what they did with it. That's just 2 of the many rules that are in place, and while they are probably working on that and will be compliant, there's just one problem.

    If all of my data is on the cloud, what happens when the internet is down? How can I look up what allergies the patient has, when it's stored out there in the ephemeral cloud, but I can't reach the cloud? For example, there was a local disaster, and internet services were down for a day, and no electricity for about 12 hours. We ran on generator and had access to critical systems. If we'd hosted on the cloud, we would have had no historical patient data for that 24 hours where the ISP was down.

    When I'm hosting on site, if a system goes down, the information is still accessible in another system. If everything is hosted on the cloud, then nothing is available, and that affects patient care.

    The cloud looks good on paper, but you never want to set yourself up where you have a single point of failure. Your need to make sure if A goes down, that you can get your data from B and have a workaround. The cloud offers many single points of failure where you can't even get to B. I'm not convinced yet that Healthcare is a good place for the cloud except as a place to store offsite backups of the data.
    GSG
  • A BAA is not enough - for a different reason.

    A BAA is not enough - for a different reason. The OCR (Office of Civil Rights) has new guidelines created from the initial pilot audit program launched last year. These new guidelines are now being applied to business associates (hosting providers) as more federal audits are being conducted this year.

    If your HIPAA hosting provider hasn't been independently HIPAA audited by the OCR guidelines, you should find a provider that has been in order to avoid a data breach and prove your due diligence. The older HITRUST standards are not the optimal guidelines for a HIPAA audit anymore.

    www.onlinetech.com/hipaa
    onlinetech