September 30, 2014 | Education Leadership Customers
Selling into large enterprises is hard. Selling into large healthcare enterprises presents additional roadblocks, especially for modern, cloud based technology companies. Healthcare enterprises, in the context used here, are insurance companies, hospitals, and health systems. They have traditionally kept data on premises, in their own data centers, and behind their own firewalls. Many are risk averse when it comes to data storage outside of their own data centers, including cloud based systems. A recent report found almost 40% of healthcare enterprises cite risk aversion as the main barrier to adoption of new technologies.
Healthcare has unique compliance, privacy, and security requirements as defined by HIPAA. Healthcare enterprises are defined as “covered entities” (CEs) by HIPAA. Covered Entities have to maintain the privacy of protected health information (PHI) because violations of HIPAA result in significant financial penalties for breaches of PHI data. Vendors that work with Covered Entities are defined by HIPAA as Business Associates (BAs). As Covered Entities work with Business Associates they are required to sign Business Associate Agreements (BAAs), which outline obligations for handling PHI and expose Business Associates to financial risk for violating HIPAA.
At Datica, many of our customers are Business Associates of large enterprises—Kaiser, Cleveland Clinic, UCLA, Blue Shield of California, North Memorial, University of Alabama-Birmingham, and so on. Our customers are building cloud solutions to problems facing healthcare, helping enterprises with telehealth, bundled payments, accountable care, intelligent follow-up, patient engagement, patient reporting of data, and a bunch of other things that traditional health IT vendors are not doing. Overcoming the risk of data breaches, whether real or perceived, is essential for our customers’ success. We consider helping customers in this sales process part of our solution. In that capacity we have learned what role Datica plays to help them drive sales faster.
There are five key areas in which our customers derive value from Datica to sell faster.
Part of the sales complexity is associated with the sheer number of healthcare players. Sometimes it’s clinical, sometimes financial, sometimes ops, but always security and compliance. When you, as a business associate, sell to a healthcare enterprise, you expose them to financial risk if your technology integrates their data or collects data considered PHI. To mitigate that risk, security and compliance sign-off is always necessary before implementation and deployment.
“Datica has been an invaluable partner as we create new products for patients managing challenging health situations. The depth of their knowledge of HIPAA, their experience in protecting personal health information, and the ease of use of their services has helped us quickly and confidently create a scalable platform for our solutions.” — Clay Williams, PhD, CEO & Co-founder, Cohere Health
Datica is cloud computing for healthcare. We offer targeted solutions for the healthcare industry only, helping developers, vendors, and enterprises solve the healthcare-specific plumbing problems of compliance and data integration. Because of our exclusive focus on healthcare, our products are more tailored to customer needs. Our security and organizational policies were created to map to HIPAA. Our BAA was written, and is edited periodically, to address questions and provide assurance for enterprises.
Datica is different from “compliant cloud vendors” that are simply secure technologies at a higher price tag because they sign a BAA. We follow every aspect of HIPAA, both technical and administrative requirements, which creates trust with enterprises for us and, by extension, our Business Associate customers. It also enables our customers to inherit policies from us, such as our Disaster Recovery Policy and Vulnerability Scanning Policy. Other customers have used our policies as templates since we wrote them for vendors of modern, cloud based technologies like ourselves.
Another benefit of healthcare specificity is we offer specific, pre-built HIPAA compliant infrastructure solutions, like EHR data integration. These services fall under the same BAA as our compliant mobile APIs and platform, so customers can show enterprises one BAA from Datica. Some enterprises take a long time to review and approve BAAs, so reducing the overall number of BAAs helps expedite compliance sign-off.
And lastly, because we work directly with enterprises like Blue Shield of California and the VA, we sometimes assist customers with introductions. Since Datica has existing relationships and passed security and compliance reviews, the process is expedited for our vendor customers.
Because Datica operates like other Business Associates and not just as a secure hosting provider, we have completed full 3rd-party HIPAA audits ourselves. We readily share our audit reports with our customers when they are asked as part of the sales process. Most customers have not completed full HIPAA audits and lean on Datica audit reports as evidence of compliance. This has been effective for all customer types selling to large health systems.
In addition to audit reports, we also have white papers written by HIPAA auditors about the Datica platform that highlight the security and built-in privacy of our technology. The white papers are used by our customers when they are asked for documentation about compliance. The white papers, like our audit reports, are detailed and answer many of the questions enterprise ask about information security and HIPAA.
“Working with Datica has been a fantastic experience for Zipnosis and our unique infrastructure requirements. Datica has not only been quick to set up new, dedicated environments, but they have also been crucial partners in defining our security and infrastructure strategy through care and understanding of our business.” — Derek Rockwell, Director of Engineering, Zipnosis
Healthcare data is sensitive data and needs to be handled accordingly. One of the common approaches taken is to use dedicated servers and infrastructure for each enterprise. For example, a mobile application enabling patients to message doctors. That application runs in a public cloud environment. Each time the vendor of that application sells to an enterprise, they have to spin up dedicated cloud servers for only that enterprise.
While not a requirement of HIPAA, this is something many healthcare enterprises ask about; enterprises require many things that are not in HIPPA, like hardware firewalls. Spinning up and maintaining multiple, dedicated infrastructures is not easy. And if it’s compliant, it’s expensive. The cost of dedicated infrastructure is often passed on by Business Associates to Covered Entities.
Offering dedicated infrastructure is a great way to speed sales because it addresses many of the questions and concerns enterprises have about multi-tenant, cloud environments. Datica customers quickly spin up dedicated environments for customers, in minutes, not weeks. These environments have their own encryption, logging, backup, monitoring, and other services. Since the cost is passed on to enterprises, the main hurdle is the speed to spin up these dedicated environments and the time to manage them. Datica addresses both of these and helps its customers go from contracts to go-live much faster than with traditional HIPAA compliant hosting options.
Security and compliance are always a step in the sales process. Datica gives customers a significant shortcut, sometimes shaving off six to nine or even twelve months. The step typically includes a series of calls centering around a set of questions related to information security and compliance; the only standard set of questions seen has come from a large, midwest system that asked Business Associates to complete the Compliance Cloud Matrix. Some of these questionnaires are lengthy and quite similar to the questionnaires HIPAA auditors utilize in their audits.
At Datica, we provide links to resources on our site to help customers quickly answer questions about things like backup and logging. We also help answer these questions directly for customers, removing the burden of generating responses. Before, after, or during the process of completing these questions, Datica will happily join phone calls for customers to help answer questions related to infrastructure security and compliance. Having gone through multiple HIPAA audits, we have addressed most of these questions and verified answers. The ability for our customers to lean on Datica as audited, trusted compliance partners during the sales process expedites go-lives.
“Datica made things easy for us as we developed our own privacy and security policies, and then went through the security gauntlets of some of the big health systems. Many of our policies directly quote or refer to Datica’s policies that they make available on a well-organized public page. And often when big systems have had security questions about our deployment, I could either refer them to Datica’s HIPAA page, or simply copy and paste from the page myself.” — Mayank Thanawala, SVP - Research & Development, HEALTHLOOP
Risk is a big concern for healthcare enterprises. Modern technologies, especially cloud based systems, are outside the control and purview of enterprises. The lack of associated transparency into these platforms and systems increases the risk for enterprises. The interconnectivity through APIs and multiple cloud vendors (hosting, monitoring, logging, integration, etc.) presents additional challenges. At Datica, we take a proactive approach to transparency in our compliance and information security posture— including mappings and obligations under HIPAA, as well as our internal policies and procedures. We are compliant by design, and we publish the data and tools to prove that both for our customers, as well as our customers’ customers.
A good example is our public policies page. We list current policies followed at Datica. Each policy is mapped to specific HIPAA and HITRUST rules. We do this to make it easier for our customers to point to us as a compliant partner. We spent countless hours drafting policies and tweaking them through multiple audits to ensure they are in line with modern technology vendors while maintaining mappings to HIPAA.
We know several customers refer compliance and security officers to our policy page. With such positive interest feedback on our policies, we recently open sourced them so others can use or improve them, if they choose.
Healthcare is at a tipping point. The digitization of health data, proliferation of sensors and connected devices, and changing incentives around accountability and patient-centered care are driving entirely new technology solutions. Developers, companies, and investors are flocking to healthcare like never before. Healthcare enterprises are finally adopting new solutions. But, in order to succeed in distributing and scaling technology solutions, vendors must overcome the risk aversion of healthcare enterprises.
It is possible to build and maintain compliant cloud environments on traditional, dedicated infrastructure, but it takes time and energy. HIPAA compliance using cloud technologies requires a unique skillset. Healthcare enterprises like to see audit reports and other evidence related to compliance and information security. Datica customers lean on us as partners with expertise in HIPAA compliance. We in turn deliver value in the sales process for our customers, enabling them to overcome objections related to compliance and security.
If you want to learn more about how Datica can help you sell to healthcare enterprises faster, send us an email or give us a call at 888-377-3184.
Datica makes digital health in the cloud a reality by removing the risks that prevent its adoption. We turn HIPAA compliance on public infrastructure providers into a solved problem, and enable secure clinical data exchange between mission-critical digital health applications and EHR systems. Datica serves healthcare’s complete spectrum, from digital health startups and industry leaders to health systems across the nation. Hundreds of customers and partners trust Datica to ensure their clouds are HITRUST certified and data securely interoperable.