By Kevin Cole, global director, technical product marketing, Zerto, a Hewlett Packard Enterprise company.
The Software-as-a-Service (SaaS) industry is booming. In 2015, the industry was given a global value of US$31.4bn, but by the end of this year, that number is expected to surge to US$195.2bn – a growth of over 500% in less than a decade.
This increase isn’t surprising. With the promise to take on the administrative responsibilities of installing and maintaining an organisation’s software, SaaS providers offer a hugely simplified approach to the running of IT systems, often at very affordable rates.
Just like any other sector, for the healthcare industry, the world of SaaS has numerous offerings. Despite some initial backlash and concerns over data security risks, healthcare providers have now taken to utilising SaaS for numerous applications.
Most notably being used to deploy cloud-based EHRs (electronic health records) and some non-clinical operations, such as billing and revenue cycle management (RCM).
Data loss is not an option
However, while there are several benefits to healthcare SaaS applications, there is one serious downside organisations must consider: data loss.
One of the standard benefits traditionally associated with SaaS providers is that they offer protection from a variety of data loss scenarios.
However, what many organisations do not realise is that most of these providers work on a shared responsibility basis. This means that, more often than not, they only provide basic coverage for data.
As has been well documented, the healthcare industry is a prime target for cybercriminals.
For example, just last month, the UK’s largest NHS trust, Barts Health, which cares for more than 2.5 million patients, reported it had 70 terabytes of sensitive data stolen and added to the dark web by the ALPHV ransomware gang.
And with a global total of 11 million ransomware attempts reported between 2022 and 2023, it’s clear that this is just the tip of the iceberg.
In this environment, basic coverage is simply not enough. Healthcare providers handle enormous amounts of vital and sensitive data; unrecoverable data loss is not an option they can afford when people’s privacy and health are at risk.
Shared responsibility
With so much at stake, organisations need to be fully aware of what is meant by the ‘shared responsibility model’.
The entire premise of SaaS providers is to take the responsibility for the software and its maintenance away from the client.
However, the responsibility of data protection is not always assured in the way healthcare organisations believe it to be.
SaaS gives healthcare providers the means to safeguard a variety of important technological needs, such as the operating system, hardware and network infrastructure.
They can also provide virtualisation to power management, physical security and a mixture of other points.
However, in many cases, the protection of data and users often falls on the healthcare providers themselves.
This means that a variety of common situations are not covered by SaaS providers, unless it has been specifically covered in the SLA, including human errors, viruses, malware and malicious insider threats.
Therefore, despite having a SaaS provider, many organisations could be left unaware that, should a bad event occur, they would be left completely unprotected.
Getting the right protection
Kevin Cole
Healthcare providers cannot afford to put themselves in harm’s way like this, they need to employ added security.
The first step to this is to understand how complex the task at hand really is. Organisations, especially large ones, utilise numerous SaaS applications simultaneously.
In fact, according to Statista, in 2022 organisations worldwide were using an average of 130 different SaaS applications.
Having a large SaaS tool stack like this not only has implications on productivity and the accessibility of data, but crucially it can also make it difficult to protect data.
Simply employing individual SaaS backup solutions for each application only adds unnecessary layers of complexity.
Instead, a key goal for healthcare organisations should be to create a single, isolated, and tamperproof copy of all the data stored by their SaaS providers, which can then be overseen and protected by a vendor-agnostic provider.
Ideally, this provider should also be able to offer fully automated backup and recovery capabilities as well, particularly for critical apps.
By doing this healthcare organisations can achieve a much more streamlined approach to data protection and remove numerous layers of administration.
They’ll also gain the ability to combine scalable and robust security measures along with precise data retrieval to ensure that they are providing the best protection possible for patients and staff alike.
Unlike many SaaS providers, solutions such as this encompass a vast array of data loss including ransomware, which is crucial as attacks against healthcare organisations continue to risk.
When data loss occurs, information can be reinstated within the same SaaS provider or moved to an alternative location.
Additionally, organisations can generate multiple backup copies stored in an independent cloud dedicated solely to data protection, avoiding dependence on major hyperscale cloud providers.
Looking forward
As the healthcare industry experiences an unprecedented surge in SaaS adoption, it has never been more important for these providers to utilise robust data protection strategies.
Healthcare institutions that prioritise the development of a SaaS data protection approach that is independent of any particular vendor can fully leverage the advantages of SaaS while maintaining the assurance of constant data security and recoverability.
