Healthtech’s three C words: compliance, continuity and cost 

Healthcare technology, like many other industries, is in the midst of a profitable SaaS-ification. From telehealth platforms to medical imaging, the software as a service model is turning up new ways to deliver services, analyse data and, ultimately, deliver better patient outcomes.

And, just like those industries, innovators in the space are finding the SaaS model comes with its own challenges, as well as opportunities.

While the streamers may grapple with CDNs, and manufacturers in the SaaS space scratch their heads over edge data processing, the challenges in healthtech come down to the stringent regulations on patient data, the severe consequences of service loss/disruption, and, in the current economy, the ubiquitous concern with our bottom lines.

In short:

• Compliance
• Continuity
• And cost

Managed services and the three Cs

Many MSPs, ourselves included, have been riding the wave of SaaS-ification in various industries. And healthcare is no different.

Themed packages, productisation, and names like Cloud Health Deluxe and AWS4Healthcare are now 10 a penny, or a dime a dozen, depending on which side of the pond you hail from.

However, in most cases, the managed service provider in question will be offering the same services and targeting the same pain points – with varying degrees of success.

In this piece, we’ll look at exactly how MSPs help healthtechs solve the three Cs, and what to look out for in a great strategic partner.

Let’s get started.

Compliance in healthcare managed services

Healthcare is perhaps the most regulated industry in the world. This is no shock, considering it is quite literally life or death, and preferably the former. To deliver a great product, healthtechs must be compliant, interoperable and up to date.

Regulatory compliance

The pain point

All healthcare organisations – from hospitals to Hexoskin smart vests – are governed by strict, regional laws. It is the MSP’s job to ensure PHI (patient health information) is protected and compliant at all times and in all locales – which is doubly important when a tool or product is sending/receiving data from an EHR/EMR (electronic health record/electronic medical record) cross-region/jurisdiction.

The medicine

An MSP with a specialisation in healthcare managed services should be familiar with:

• HIPAA (U.S.) 
• GDPR (EU)
• PIPEDA (Canada) 
• PDPA (Singapore) 
• And/or any regulations applying to their clients’ delivery 

And they should have foreknowledge of how to translate these requirements into low-cost, high-performance infra, for example:

• Leveraging dynamic data routing and AWS availability zones to ensure PHI is stored in the correct location 
• Using a KMS (key management system) to ensure encryption keys, also, are stored compliantly
• Implementing compliant IAM policies to ensure only those who are legally allowed to access PHI can do so

Interoperability

The pain point

While regulations and efficiency demand data be passed using standards such as HL7 or FHIR, there is no simple, one-size-fits-all implementation. And many healthtechs find themselves:

• Struggling with complex technical implementations that fall a little outside of their comfort zone 
• Again falling foul of compliance standards when these implementations aren’t up to scratch
• Opening up attack surfaces by exposing APIs 

The medicine

A healthcare/healthtech-orientated managed service provider will have solid experience solving interoperability problems for a variety of clients. They might:

• Use pre-built FHIR connectors or be familiar with advanced integration frameworks. They will also be able to conduct workflow analysis to determine the most efficient implementation for their clients’ solutions 
• As above, they’ll be well aware of how to implement whatever interoperability solution within compliance frameworks
• They will also be au fait with the skills and tooling required for secure API connections, including management of API gateways, role-based access control and use of  OAuth 2.0 protocols to minimise attack surfaces

Compliance monitoring and reporting

The pain point

Compliance is not a one-and-done objective. Regulations are ever-changing, meaning healthtechs need to constantly monitor and act on new developments. When approached without the proper tools and frameworks this leads to:

• Wasteful and existentially risky catch-up cycles with under-resourced teams spooning water out of the ship as regulations evolve
• Sporadic audits that lack a 360-view and leave stones unturned
• Difficulties preparing data and information for regulatory bodies and reporting

The medicine

Managed services here often mean centralisation and automation. Proper tooling and experienced management of that tooling – e.g. Datica, Vanta or Netwrix Auditor – allow the managed service provider to:

• Automate the monitoring of compliance frameworks and quickly bring infrastructure to a compliant standard while keeping it cost-efficient and performant
• Gain full observability into the platform to reveal new vulnerabilities or non-compliant components 
• Centralise reporting of logs and compliance data into dashboards and reports 

Continuity in healthcare managed services

Outside of compliance, the second most important quality in services dealing directly with patients is that they work. And, as above, healthcare is perhaps the industry with the least pleasant consequences of downtime, disaster or general patchiness. 

Downtime

The pain point

As healthtech companies grow, true 24/7 support services and IM (incident management) become almost impossible. This is due to:

• Difficulties in building internal IT teams who can respond to incidents and outages 24/7, especially where a team based in one or two locations services global healthcare clients or healthcare facilities
• Lack of investment in tooling and/or skills when it comes to infrastructure and application monitoring
• Lack of recourse and enforceable standards internally, i.e. you’ve no one to blame but yourself 

The medicine

Many MSPs are set up to deliver 24/7 technical support to client infrastructures. Though some are a little better at it than others. An MSP with a good track record in providing 24/7 support and cloud services to health techs will:

• Solve the out-of-ours problem either by extensively offshoring (spoiler: not a great idea) or having built a truly global 24/7 support team
• Come equipped with the tools and skills to monitor and triage a modern SaaS application  
• Have invested heavily in fail-safes and contingencies when it comes to keeping your within your SLA/SLO. After all, their business relies on it. 

DRP

The pain point

Disaster recovery is doubly hard in healthtech SaaS because it must 1) ensure the prompt resumption of service a la’ any normal DRP strategy 2) comply with any and all active regulations, many of which contain exacting DRP requirements ( e.g. HIPAA contains various clauses around documented recovery plans, geo-redundant backups, and test frequency). This presents issues for heathtechs who:

• Often lack the cloud engineering background to ensure compliance alongside high-performant, effective recovery
• Lack the time and resources to invest heavily in upskilling
• Lack the organisational structure to perform the kinds of audits and wargames required by the more demanding regulations

The medicine

A healthcare managed service provider specialising in DRP will be able to:

• Lead a geo-redundant strategy tailored to HIPPA or GDPR requirements based on an established process
• Allow easy outsourcing and heavy automation to offset the time and resource drain
• Conduct annual wargames, for example simulating a ransomware attack to either ensure their client is HIPPA, GDPR or PIPEDA compliant

SRE

The pain point 

While DRP and 24/7 support seek to minimise incidents, SRE seeks to stop them from happening in the first place. In addition to solving this major continuity pain point, SRE also hits at:

• Healthtechs’ need to test for failure scenarios dynamically – in addition to the response-orientated DRP approach 
• The need for generally resilient infrastructure
• The need for heavy automation 

The medicine

MSPs with SRE experience in the healthcare industry may:

• Employ proactive, continuous methods like chaos engineering and synthetic transaction monitoring (e.g. continuously simulating a data request from an EHR) to discover and plan for new failure conditions 
• SRE has introduced new resilience concepts that go beyond essential cloud ideas like elasticity: circuit breakers, load shedding and graceful degradation all go one step further toward creating truly resilient architecture and avoiding 
• The automation component of SRE ticks multiple boxes, automating incident response and detection, capacity management and areas of compliance 

Cost in healthcare managed services

Throughout many industries, bottom lines are top of the agenda.

This is no less true in healthcare organisations, where data costs, complex and crucial customer support needs, and the ever-present data and compliance issue all stretch the purse strings.

High data volume and processing costs

The pain point

Data is one of the leading factors contributing to health techs’ high operational costs. The human body, is, after all, one of the most complex systems we know of, and so are the tools that seek to understand it: predictive analytics, diagnostic imaging, wearable devices and real-time patient monitoring, to name a few. 

So, the factors driving up cost are:

• Sheer volume, e.g. the data being crunched by an AI/ML diagnostic imaging tool 
• Complex processing, e.g. data being sent from medical devices 
• 24/7 availability – related a little to the continuity point 

The medicine

MSPs used to driving down data costs in the healthcare industry and elsewhere will:

• Apply data tiering (creating tiers of access frequency and storing less frequently accessed data in cheaper, less ready states) and/or running deduplication and compression algorithms to compress required data
• Again, a good MSP will bring their generalist skills to bear here, leveraging spot instances for background tasks, serverless and generally structuring services to meet difficult processing demands at the lowest cost possible
• In a sense, data tiering from the first point also applies to data availability though other techniques like CDNs will help with providing continuous availability at a lower cost 

Highly complex customer support

The pain point

Any complex SaaS product will provide a customer support SLA (service level agreement). And this becomes even more charged than usual when that product or tool is key in delivering patient care.

Healthtechs are often mission-critical, with support teams answering to healthcare professionals in dire straights. The factors here are:

• Naturally high service expectations
• Global support requirements
• Regional support differentiation, i.e an out-of-date encryption key will generate different steps to resolution under HIPAA than it will under GDPR

The medicine

Not all MSPs have a great outsourced customer support service. But some do. A good healthcare MSP will offer customer-facing incident management services with features like:

• Robust SLAs with response times down to the minute and a track record of sticking to them
• A true global support offering, with real 9-5 teams spread across every major time zone (or at least all those the healthtech operates in)
• The ability to not only produce detailed runbooks for effective issue resolution but also iterations of these runbooks to serve GDPR, HIPAA etc.

The cost of compliance

We won’t go into detail on this one. The bottom line about bottom lines here is – as you can see – compliance and regulatory concerns complicate and inflate nearly every aspect of health tech delivery.

This is an ever-present pain point with no simple 3-bullet fixes.

However, we will say that a healthcare MSP with their finger on the pulse will know the ins and outs when it comes to resource management, support staffing challenges and the kinds of infras needed to deliver your product at a low cost.

We’d say they’re hard to find, but looks like you’ve jumped the queue:

A fourth and more polite C word – ‘can’ we be of any assistance? 

As a cloud-native MSP specialising in healthcare, we’ve helped cut down the number of C words issued in healthtech HQs everywhere. 

From our work with BUPA (who serve 40 million+ customers worldwide) to partnering with groundbreaking medical device innovators, we’re here to help healthtechs deliver outstanding results to patients and providers alike. Want to keep pennies out the swear jar? Just get in touch.