Choosing a HIPAA-Compliant Cloud MSP: 6 Things To Know Before You Buy

| Author , tagged in
Cloudticity, L.L.C.

Healthcare, life sciences, and genomic organizations are moving to the cloud in order to harness the power of faster software development and deployment, improved performance, and lower operational costs.

Because the industry is highly regulated and cloud tools and talent can be expensive, many companies are opting to outsource managed cloud services from a third party, rather than undertake the project of building them in-house.

While the right cloud partner can increase your agility and speed, the wrong one can slow you down – or worse, cause security, performance, and reliability issues that are harmful to your business.

Organizations often come to us with stories of how the wrong cloud partner affected their business negatively. We wanted to share some important lessons to help you choose the right one. Here are six questions you should ask when evaluating vendors:

1. Do I get to bring my own cloud?

Make sure you can bring your own cloud (BYOC), which means you can host your company’s cloud environment as part of your company’s own virtual private cloud (VPC).

This may sound like it should go without saying, but sometimes it doesn’t. Some cloud partners require you to migrate to their VPC, giving you less control over your assets and creating vendor lock-in. What would happen if you changed your strategy, or were dissatisfied with the relationship? Disengaging with these cloud partners becomes complicated and difficult.

2. What percentage of your managed services are automated?

Many MSPs still leverage a room full of help desk engineers to do the majority of tasks manually. This means that if you want to spin up or retire an instance, you have to submit a ticket and wait for a human to respond, which can slow you down.

When managed services are fully automated, you can be more innovative and make changes quickly. The more automation your cloud partner leverages, the more efficiency you will gain, which directly translates to increased agility and lower costs.

Most importantly, automation allows you to avoid harmful human errors such as security misconfigurations, which is why automated managed services are more secure.

3. How quickly do you respond to tickets?

We’ve heard stories from clients who previously had cloud partners that took one to two weeks to respond to tickets, regardless of what the contractual SLAs stated. Every time the client provisioned a new server, the stakes were high and so was the risk. If the project didn’t work out, it would be another one or two weeks to spin the server down, which meant wasting money on compute in the meantime. This made innovation slow and costly.

You want a cloud partner who handles most issues in real time via automation, but the rest should be handled in less than an hour and no more than a day.

Also, ask if they have an emergency response policy. You don’t want to end up in a situation where you have an outage and no one to help you resolve it.

4. How much visibility do I have into your managed services?

Being in a highly regulated industry like healthcare, you want to have continuous visibility into your security and compliance posture, removing any guesswork from this critical topic. Some cloud partners will tell you they have security taken care of, but without a dashboard that can show you exactly how you align with each control, in real time, how can you know for sure?

Your customers want to know you are secure and compliant, so choose a vendor that allows you to prove this easily. Make sure they provide real-time compliance and security reports so you can demonstrate alignment with HITRUST at any given time.

5. Are you exclusively focused on healthcare?

A lot of cloud partners claim to be experts in healthcare, but most often that simply means they have healthcare clients mixed into their overall client roster. Many advertize expertise in several industries – such as healthcare, finance, or retail – making their focus broad and their expertise diluted.

Healthcare data is worth more on the black market than credit card data, so healthcare companies face a greater risk of attack than other industries. A healthcare-focused cloud partner with years of experience in the industry will be up to date on current risks and trends and know how to mitigate healthcare threats.

They will also have a deep alignment with HITRUST Alliance and can make sure you inherit the maximum number controls to streamline your compliance journey.

6. How many inheritable controls do you offer for HITRUST?

Depending on your company's risk profile, you will be required to meet anywhere from 400 to 1800 controls when pursuing a HITRUST certification. The more you can inherit from your cloud partner, the easier your HITRUST journey will be.

Many cloud partners claim to have strong alignment with HITRUST, but if they don't offer inheritable controls then they're not doing much to help you. You want to partner with a company that offers around 200 inheritable or partially inheritable controls. This will shave off a considerable amount of time and effort when you undergo the HITRUST certification process.

The Bottom Line

Choosing the right cloud partner is a critical decision that will affect your company’s success. The right one can provide you with agility and speed, while the wrong one can hold you back.

At Cloudticity, as of today, 96% of issues are auto-resolved without the customer ever creating a ticket, and this number is steadily increasing. Of the remaining 4% that become tickets, 70% are resolved within one hour. We also provide a 15-minute response Service-Level Agreement (SLA) in the case of urgent production outages, and provide over 200 inheritable and partially inheritable HITRUST controls - the highest in the industry.

Check out this free guide for 5 more important tips for choosing a cloud partner. Also, feel free to schedule a consultation to discuss if partnering with Cloudticity is right for you.

 Schedule My Consultation
Subscribe Today

Get notified with product release updates and industry news.