IT Compliance Institute, May 2, 2006:

Best Practices

Case Study: Hospitals Find a Cure for Storage Costs

With back-up storage costs stretching the budgets of hospitals attempting to comply with HIPAA, one network of 16 Nevada hospitals found a way to cut storage costs by 80 percent without cutting compliance corners.

By Mathew Schwartz

For many healthcare organizations, complying with HIPAA means finding economies of scale. “As you know, all of the hospitals are under a lot of pressure to meet HIPAA requirements and reduce costs,” notes Todd Radtke, regional IT manager of Nevada Rural Hospital Partners (NRHP), which includes 16 hospitals serving about 300,000 people in an area of Nevada the size of New England.

He speaks from experience: Nevada, like most states, faces healthcare worker shortages, very limited public hospital budgets, and as a result, limited numbers of IT personnel. Shortages aside, however, all 16 hospitals must still maintain compliance with multiple healthcare regulations and demonstrate that compliance to auditors.

For starters, “Part of HIPAA mandates that you have offsite backups of all PHI [Protected Health Information],” notes Radtke. “You just have to do it.” But when NRHP began implementing the needed offsite storage, it realized that creating a single, shared storage archive for all hospitals might be a simpler, more cost-effective solution than deploying dedicated storage. Even so, it still had to navigate multiple technology offerings, build a scalable solution, ensure HIPAA compliance, and guarantee that information was only accessible on a need-to-know basis.

HIPAA Drives Secure Storage

As NRHP further examined how four of its hospitals might back up their PACS (Picture Archival and Communications System) radiology data, it discovered such storage needs were part of a trend. Hospitals’ information storage needs are increasing dramatically, since practically every state-of-the-art healthcare device—including radiology, MRI, and oncology equipment—now saves images digitally for PC-based retrieval.

The old model of healthcare storage was one archive to each application. Yet with so many devices and potential repositories to manage, Radtke knew such an approach would quickly become untenable, especially with NRHP’s scarce IT resources. So NRHP decided to implement a single, centrally administered, HIPAA-compliant offsite storage repository for all of the hospitals’ digital information.

To kick off this so-called Central Data Archive program, Radtke began in May 2005 to research all storage options. “When you’re spending grant funding and you’re having to make the decision in advance, you do a lot of homework,” he notes. Ultimately his short list focused on two types of data-storage technology: fiber channel (specifically from EMC and Hitachi) and iSCSI (from EqualLogic, Isilon Systems, LeftHand Networks, and Network Appliance).

Still, it was difficult to vet all options. He couldn’t test products on his own network: he had to install fiber networks first at the hospital’s expense. And another potential technology, iSCSI, was relatively new and unproven. Ultimately, even though he was steered towards fiber channel, he says, he opted for an iSCSI storage area network (SAN). One reason: installing a fiber network would have been costly, whereas iSCSI works over existing Internet Protocol (IP) connections, and the hospitals were already linked up via IP.

Finally, for security reasons, Radtke chose block-level over file-level encryption, as it reduced his vendor shortlist to EqualLogic and Lefthand. NRHP purchased two PS200 SAN appliances from EqualLogic, chosen especially because of their ability to work with several computing platforms. After NRHP received the devices, the set-up took only a couple of days. “It was very simple to build the archive, set up the access to all the remote systems. It was almost too easy.”

Pushing Shared Storage

Later, with the radiology offsite storage project completed, Radtke realized even more storage needs could be centralized. “We could back up all the clinical systems, lab records, electronic records information systems,” he notes. So NHRP purchased two more EqualLogic SAN appliances, plus a 7 TB NEO2000 robotic tape library, to attach to the storage. “The design of the SAN provides fully redundant systems: 7 TB at our main data center, replicating to 7 TB at our off-site backup location using the EqualLogic replication utilities, then [it is] sent to tape with Veritas Backup Exec,” notes Radtke.

HIPAA, of course, mandates access and authorization control for PHI, for which any offsite storage plan must account, and that’s why Radtke opted for block-level encryption: it encrypts the entire disk and doesn’t reveal the file structure in the event someone can access the box. Thus, he has fewer security-related storage concerns to deal with since, he can’t even access the patient information, and that has obvious benefits. “It eliminates our liability as an [IT] organization. You don’t want to get into a situation of a provider pointing a finger and you having to defend yourself. So that’s another reason I chose to do it this way.” Even so, he still audits who accesses the archives and when, and locks down access to the appliances with Challenge Handshake Authentication Protocol (CHAP) for authentication, plus source-IP-address restrictions.

Finding Economies of Scale and Compliance

The Central Data Archive program went live on January 1, 2006, and already handles more than half a million images from just four hospitals’ PACS systems, plus PHI backups. “Most of our systems are using it as a backup,” he says. “The source data is stored on the local clinical information system at the hospital, then their information system sends a backup to the archive.”

The long-term-care system and an electronic medical records system also now use the SAN as their primary means of data storage, at least for now, because the servers are older pieces of hardware. “We weren’t comfortable running the databases on those servers,” says Radtke. Until the hospital can afford new servers, it’s pointing the existing ones to the new storage as the primary drive.

Sharing Storage and Cost

Going forward, Radtke anticipates NHRP’s storage needs will only increase. “We expect to start upgrading quite rapidly some of the radiology systems—the MRIs, and CT scans, and some of the equipment at the hospitals is outdated,” he notes. As that happens, the need to store more information digitally, then back it up, will rapidly increase. Even so, thanks to the shared storage archive, he’s already pacing the storage. “I monitor it, I can set thresholds in the EqualLogic system to let me know when volumes are reaching capacity, then I can dynamically expand those volumes and do some projections for the future.”

As that suggests, creating a centralized storage archive has simplified storage management, with resulting compliance repercussions. Simply put, it means numerous storage policies can be applied once, across all 16 hospitals, which makes it easier to audit all transactions and demonstrate compliance with HIPAA’s security rules.

Yet there’s another economy of scale at work here: outright cost savings, since 16 hospitals share the cost of the SANs. “This solution fits into our strategic technology plan by offering our members a SAN that can be shared by all, reducing the cost each member would have to support to build separate SANs,” says Radtke. In fact, creating a single storage archive—in per-gigabyte storage costs—“came in probably four or five times less—20 percent of the cost—of every hospital doing it on their own.”

In short, NRHP was able to turn a compliance requirement into a cost-saver.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.