Vetting cloud providers is tricky business

Reputation and certification go only so far when it comes to choosing vendors in the cloud

Someone once said they never invented a sword that doesn't cut from both sides. Using a cloud service to store EHRs (electronic health records) is no exception.

As I noted last week, the consensus is that medical practices will have little choice but to turn to SaaS as the requirements for reimbursement from Medicare grow more complex. For most health care professionals, the alternative -- hire IT professionals to run their systems -- is beyond their reach.

Even if you're not in health care, what I say here is applicable to just about any business considering putting their business essentials in the cloud.

I don't take back any of what I said last week about using SaaS; I'm just reinforcing that it's not something you should go into blindly.

Crown jewels in the cloud
First off, if all of your patient records are to be in the cloud, this is not an area to buy bandwidth on the cheap. You will need a commercial-grade line.

But the biggest issue around using a service in the cloud is keeping the crown jewels -- in health care, that would be patient records -- off site.

[ For more on cloud computing's impact on IT, see "The dangers of cloud computing," "Cloud options for IT that IT will love," and "Nick Carr: The many ways cloud computing will disrupt IT." ]

And it's not just loss of data or exposure of private or confidential information. Your company also faces a real loss of revenue if you have an integrated system and the service provider who designed the system hasn't taken everything into consideration, says Alex Adamopoulos, executive vice president and COO at Exigen Services, an application outsourcing services provider.

"There will be a cost equation if you don't plan well," Adamopoulos says.

Go beyond word of mouth when choosing a provider
Unfortunately, today most medical practices -- I dare say most businesses -- rely on word of mouth.

Let me tell you about how much you can trust the judgment of your peers.

Years ago working for another high-tech publication, my old publisher would go to quarterly meetings where publishers and the CFOs of the publications would get together and share info on "deadbeat" advertisers who never paid their bills. The publication I worked for was small, and getting burned was serious business. But it shocked my publisher to see representatives from the biggest publishers in the country stand up, one after another, and say they were burned by such and such advertiser. Well, they were asked, didn't you research to see whether they were good for the bills they were running up? Invariably the answer would come back, "No, I saw them advertise in my competitors publication, so I figured they had already done the research." Ha, ha.

You need to be confident that your provider is staying abreast of changes to regulations, including the kind of data that is required, to the format that data should be submitted in to ensure you are reimbursed. Will the government consider these SaaS providers as their clients and keep them up-to-date on these matters, or will it be up to the health-care providers to notify their SaaS providers as changes come down the pike?

Certification is no guarantee
You might want to find out how good the SaaS provider's knowledge management system is. Unfortunately, there is no standard for knowledge management systems.

Sure, you can look at what level of CMMI (Capability Maturity Model Integration) certification their software and services have been certified. But as Adamopoulos warns, even organizations at Level 5 -- the highest level of certification -- still have project failures. Having a CMMI best-practices framework in place doesn't mean there are people at the vendor with the discipline to keep it up on an ongoing basis.

"You can have the framework, but when you start bringing in new elements and people, how is it being all tied together, and how is it monitored?" Adamopoulos asks.

His suggestion? If you have a relationship with a company upstream from you, you might want to piggyback on their system.

"Consolidation will bring solutions to the front end faster. Sometimes it's not realistic to bake you own."

What is really needed is a set of business practice standards set for the industry, not unlike the standards created in Sarbanes-Oxley, which at least forced more transparency on companies. Transparency is especially important for companies that offer services in the cloud -- it's very name implying a certain degree of opaqueness.

I believe that, as beneficial as cloud services may be, the growth of these services will be severely limited in health care and, over time, in every other industry as well, unless they are willing to do more than say, "Trust us."

They need to show us why we should.