A Healthier Dose of Data Storage: A Healthcare Industry Primer

Chris Miller, for HealthLeaders News, July 31, 2007

Finding the right prescription for your computer system's vital digital information isn't easy. Every hospital or medical facility is unique--as unique as every patient, his or her history, their condition, and treatment. Today, protecting and storing sensitive medical and patient data is more critical than ever--with threats looming from everything such as viruses and malicious code, to "social engineering" emails to power loss and casualty from fire or natural disasters.

Lost data is a big concern for anyone within arm's reach of a keyboard. In a 2006 Carbonite survey, 69 percent of computer users said they have lost data due to disk or system failure, viruses, fire or other disaster. Forty percent have lost data two or more times in the last year. For healthcare providers, however, protecting valuable patient and hospital employee data is more critical than ever. In fact, by 2008, healthcare providers in the U.S. and Canada will spend up to $39.5 billion on health IT, according to Health IT News. Monies will also be specifically designated for building and protecting data systems as companies are faced with an avalanche of data.

These healthcare providers recognize that data protection is a two-part strategy: one part management, one part security. The wrong strategy on either count can be devastating; recent experiences of medical facilities tell the tale. In 2006, the Northwest Hospital chain lost an unsecured laptop containing medical and person records of 365,000 patients of the Providence Healthcare system, which operates hospitals in Oregon and Washington. In March 2007, two thousand patients at Rhode Island-based Westerly Hospital had their names, social security numbers, and medical records posted on a public website--all without the hospital's knowledge. A breach in the hospital's database allowed hackers to tap the information. Seattle-based Group Health Cooperative Healthcare System lost two laptop computers containing the personal information of 31,000 people--including names, addresses, social security numbers, and Group Health ID numbers of local patients and employees. The list of healthcare providers with woefully inadequate protection measures goes on. With proper data management and encryption procedures, these security breaches could have been prevented. Despite the availability of solutions, some hospital networks remain behind the curve. By better understanding how data management works, your healthcare facility need not be one of them.

For many healthcare industry managers, the cost of proper data management has been an issue, putting private patient and staff information, emergency phone numbers, special health conditions, payroll reports and more at high-risk. But even if your facility has upgraded its strategy in recent years, chances are your existing solutions are proving to be labor-intensive, costly, and insufficient in meeting your needs. Why? The continued growth of remote data persistently poses one of the greatest challenges. Typically, each facility's remote site has been managed as an independent data island, and is equipped with a dedicated set of IT infrastructure which includes backup software and hardware. The lack of expertise and overall variability in operations has led to questionable backup processes in many remote hospital environments. Backups are often not run on a regular schedule, or fail frequently. With the advent of newer, smarter data management technologies and market competition, every healthcare provider can afford to be protected from catastrophic data loss. However, with so many more options in the marketplace, how do you choose?

Option 1: Tape or 'first generation' backup
As the older form of modern data storage, tape-based or "first generation" backup is the most commonly used storage system in healthcare systems nationwide. Essentially, data is backed up at multiple sites, stored in a central server, back-up tapes are created, and the tapes are catalogued and shipped for physical off-site storage and maintenance. Through usage, many institutions are accustomed to working with tape and have managed their data successfully with separate staff in place to manage the data storage. However, there are significant drawbacks to tape-based backup at multiple sites--especially for medical facilities with a growing reliance on IT-solutions for their day-to-day operations.

One of the main complaints from healthcare providers is the exponential rate of data growth as it relates to tape backup management. As data grows, the time it takes to backup to tape lengthens. Unfortunately, the window to backup remains the same, forcing many facilities to back up incrementally or not at all. Since backups typically span many tapes, restores are more difficult. Storing tapes in an organized fashion also can become labor-intensive, particularly for institutions with large backup sets. Human resources are also consumed, and can be costly. Tape backup is a manual process, requiring daily interaction and attention to assure that tapes are rotated, shipped offsite, and retrieved for restoration. Moreover, as with any manual process, tapes can be misplaced or damaged. In these instances, the data recoverability success rate in some cases is below 50 percent. However, until you perform the restore, there is no way to know whether your backup is restorable.

Option 2: Disk/tape backup or 'second generation' backup
Despite the great expense of this system, "second generation" backup has the advantage of improving speed and restore times. The virtual tape library (VTL) technology takes a random access drive and turns it into a temporary backup/restore staging area that eventually offloads to tape--which improves backup speed. However, because this is a tape-based system, the long-term data growth dilemma is omnipresent. The virtual tape library actually doubles the amount of writes per full backup--to disk, then tape. For IT staff, the learning curve in managing "second generation" backup issues is steep. On the security side of second generation backup, encryption is difficult and time consuming. Long-term, VTL forces massive data change due to "bloated file" based backups-- reducing drive performance and reliability.

Option 3: Online or 'third generation' backup
Online, or "third generation," backup is the third main category of backup options. Initial popularity of tape-based recovery was due, in part, to the nature of online backup as an off-site service provider. In the past, online data encryption, transfer, and storage was costly--too costly for some healthcare providers. Moreover, some worried about the sufficiency of an offsite system support program (SSP) and wanted to manage their own data. However, as more providers have become easy prey to hackers, viruses, system failures and the exploding rate of data growth, the tide of opinion has changed. In a 2005 Gartner study of 104 computer users surveyed, only 5 percent said they would never consider using an off-site backup service provider--a plunge from the 30 percent to 40 percent who wouldn't use such a service in 2003 and 2004. With "third generation" enterprise data protection, special software gathers the data from each remote server, compresses it, and encrypts the data prior to sending it to a storage provider's primary vault location offsite for encrypted storage. Another option is to "house" your own vault location, which some companies prefer to the provider's offsite storage. As a result, "third generation backup" solves many of the storage and restore reliability issues posed by first and second generation backup. Additionally, due to changes in available technology and market competition, online backup is now an affordable option for most healthcare institutions. In all three options, however, the key considerations are solutions to exploding data growth and data security.

According to the University of California, data growth is exploding at 1.5 billion TB, or roughly 1 zettabyte, each year. For purposes of illustration, one zettabyte is equal to one sextillion bytes. What does this mean for the first, second, or third generation backup user? As revealed in a Forrester Research study, the capacity of the average Enterprise system is 59 TB. With "first generation" backup, that data at 2-1 compression would be 29.5 TB. After 52 weeks, the data size would grow to 1534 TB. At 12 months fully vaulted, the data size would be 354 TB. In comparison, "second generation" backup (tape + VTL) yields an even larger data size than tape alone. At 52 weeks, data size with "second generation" backup maxes out at 3068 TB and 708 TB at 12 months fully vaulted. Based on these numbers, healthcare providers that utilize tape-based solutions will--if they have not done so already--need to re-evaluate their current data management and storage procedures. As the only non-tape based method, "third generation" backup appears to manage data growth the best.

Some, but not all, SSPs offer massive data reduction as part of their online or "third generation" backup and this helps significantly to steady the growth of enterprise data. For these SSP systems, data changes are detected at the block or chunk level and common files and unique data are saved only once. This reduces the data transfer and storage requirements by two to three times. Under this scenario, 59 TB of data at a 2-1 compression would be 19.7 TB in size. After 52 weeks, the data would remain 19.7 TB in size and at 12 months fully vaulted, the total data size would be 20 TB. It is this difference in managing massive data growth that is fueling interest in "third generation" backup strategies.

As information technology continues to advance, healthcare administrators have the opportunity to maximize its benefits for patients, physicians, and staff--with few of the drawbacks. It all comes back to careful planning and a keen eye to the future. As you ready your staff and your facility to consider all of your present and future data storage and security needs, here is a checklist of questions that might be helpful:

The 'healthy data' checklist

1. Compression and backup: When are backups performed and how often? Are the backups full or incremental? When is data compressed? Before it leave the premises? For newer tape-based systems, how easy is it to perform a restore and what is the failure rate?

2. Data protection: When does the encryption take place? Is the data encrypted during the transfer and storage? Who has access to the encrypted information and the encryption keys?

3. Oversight and management: If the provider is online, do you pay for metered storage or a flat fee? What oversight is offered on managed storage? And what are their data management policies?

---

Chris Miller is the chief technology officer at Digitiliti, an online data protection/primary storage provider. Chris Miller can be reached at 612-235-5020 X 17 or at cmiller@digitiliti.com.