HITInfrastructure

Virtualization News

Cost, Flexibility Increase Virtualization’s Health IT Appeal

Jeff Thomas, CTO of Forward Health Group, gives insight into the benefits of virtualization and how to ensure organizations choose HIPAA compliant solutions.

By Elizabeth O'Dowd

Virtualization continues to appeal to healthcare IT decision makers looking to cut back on infrastructure costs for hardware, software, and even staff.

Virtualization HIPAA compliance

Virtualization is the abstraction of IT resources that masks the physical nature and boundaries of a server, endpoint, networks, storage, applications, or operating systems (OSes) from users. Virtualization creates a pseudo or “virtual” version of hardware or software to be used for a different purpose than it was originally intended.

Virtualization uses cloud technology and many researchers consider the technology the next step in cloud service technology for enterprises. Virtualization is not limited to one part of a health IT infrastructure and organizations can virtualize parts of their infrastructure as their need for a virtualized environment arises.

“Virtualization technology and cloud technology allow you to be more flexible to your technology needs versus the old, ‘let's just have physical servers in our data center’ model,” Jeff Thomas, CTO of Forward Health Group, told HITInfrastructure.com.

Healthcare organizations considering virtualization implementation to help fill a certain infrastructure need or to support future growth and advancement of IT infrastructure technology need to start by analyzing their current technology. What can virtualization provide that the current infrastructure technology cannot?

READ MORE: Clinical Communication, Collaboration Key for HIT Systems

Benefits of virtualization

Virtualization allows IT departments to outsource certain parts of their infrastructure to gain benefits including skills the current IT department is lacking or cost reduction. Instead of deploying a solution in-house and hiring skilled IT staff to monitor the solution on-site, virtualization gives organizations the option of outsourcing hardware, skills, and even some of the risk associated with maintaining the data on-site.

“Virtualization does transfer some of the risk and transfer some of the cost to another organization,” said Thomas. “From a strategy perspective it can reduce the internal risk footprint, and make it the vendor’s responsibility, who has the ability to maintain that expertise and can do that better, faster, and cheaper.”

Thomas advises that from a cost perspective, organizations can benefit from virtualization financially when they don’t need to hire an army of security staff or an army storage staff to maintain virtualization solutions.

Maintaining data on-site can also prove costly for organizations and is an area where cloud and virtualization can help.

READ MORE: Peak 10, Concerto Achieve HIPAA Compliant Healthcare Cloud

“Cloud and virtualization solutions are very beneficial from the standpoint that as you migrate data, you don't need to maintain your own datasets which can be costly and expensive,” said Thomas. “I’m saying costly but maintaining datasets on-site can also be expensive in that it takes up real estate which can sometimes be used for something else.”

“With virtualization you can more effectively utilize your resources,” Thomas continued. “Instead of buying a server and setting it up for something and only using 25 percent of it. You can tailor a virtualized solution to meet your needs and then expand it a lot faster and better so you can control your costs, per instance, more effectively.”

Virtualization may also outsource some of the security risk involved with keeping data on-site by putting it in the hands of the skilled methods used by the vendor instead of building and deploying their own complete security solution on-site.

“While cloud and virtualization has risks, so does keeping data in house,” Thomas remarked. “If you don’t have adequate security controls and are unable to hire and retain skilled security personnel, outsourcing that to someone else can be very attractive. In the end that’s what you’re doing, you’re outsourcing not only the service but some of the risk.”

Healthcare organizations may find it difficult to maintain the skilled employees needed to administer and deploy parts of the IT infrastructure, especially in rural areas. Virtualization essentially allows organizations to outsource skills they lack or can’t afford on-site.

READ MORE: Virtualization for Secure Healthcare Data Access Control

Virtualization and HIPAA compliance

Similar to all healthcare cloud deployments, virtualization brings HIPAA compliance concerns for organizations hesitant to trust their data to a cloud vendor. Some healthcare organizations may be confident in their on-site HIPAA compliance but may need virtualization for other infrastructure purposes such as scalability.

“There's a comfort level for organizations knowing that their data is in their data center,” Thomas noted. “They can walk up and touch it, and sometimes it's that emotional comfort factor that has some healthcare organizations leaning toward keeping data in house.”

Healthcare organizations cannot always trust a virtualization solution that claims to be HIPAA compliant is actually HIPAA compliant.

“HIPAA compliance is always a dangerous and very vast term and healthcare organizations should always be leery of anyone selling a HIPAA compliant solution,” Thomas insisted. “Even if a solution enables you to use it in a compliant manner, doesn't necessarily mean it solves the compliance problem for you.”

Business associate agreements are highly important and indicate that a vendor understands and complies with HIPAA rules and regulations.

"Is the vendor you choose willing to sign a business associate agreement? If they hesitate or don’t know what that is, they aren’t the right vendor to choose because they don’t understand your healthcare compliance needs when it comes to HIPAA.”

Cloud solutions often come with tools or features that may be produced by another vendor and offered in collaboration because the primary vendor does not have their own comparable solution for a certain feature. It’s not uncommon for cloud providers to offer tools in collaboration with other vendors, but the primary vendor’s HIPAA compliance does not necessarily extend to the other vendor.  

“When looking at a cloud vendor, some of their tools might be vetted to ensure HIPAA compliance, but not every tool may be from that vendor, so you really need to look at it,” Thomas continued. “‘Solution A’ may enable your HIPAA compliance, but ‘technology B’ is part of that solution and it’s not HIPAA compliant.”

It’s more important for organizations to ask vendors how they maintain HIPAA compliance rather than if they are HIPAA compliant. Audits are a way to clear a solution by getting third party assurance that the solution understands and maintains HIPAA compliance.

“Vendors are going to tell you what you want to hear to get your business,” Thomas conceded. “The big thing becoming more prominent in healthcare is we're seeing a big driver to ensure that any vendor, of virtualization and cloud especially, have the right type of third party audits.”

“Audits have been around for a long time and there are some customized ones for healthcare. Thomas continued. “Ensuring that you have the proper contract but also the third party assurance like a SOC 2 audit, provides a third party opinion that the vendor you're choosing to outsource to has adequate security controls that meet your needs. You can get an actual report and to make sure it aligns with what your needs and risk profile is.”

Thomas believes that virtualization will become a bigger part of healthcare because virtualized solutions can be tailored to meet an organization’s needs and scale to meet larger demands. This flexibility along with cost control and HIPAA compliance efforts from vendors makes virtualization a practical option for health IT infrastructure needs.

Dig Deeper: