In HIPAA Hosting, No Lunch is Free

Updated on January 22, 2022
Adam Stern

Business may be brisk for cloud service providers across the spectrum, but that doesn’t mean users are going home happy.  According to a recent Forrester Consulting study, theirs is not a warm and fuzzy lot. The Forrester report cited seven deadly sins users commonly ascribe to their cloud providers, ranging from a glaring lack of transparency to feeling ignored, from stinginess with essential metadata to troubles with compliance and on-boarding. 

To that litany, we’d like to add “bait and switch.”  And perhaps “being disingenuous.”  The concept of an “all you can eat plan” from managed services or Desktop-as-a-Service (DaaS) providers – specifying a supposedly full menu of services – is undeniably attractive to users, especially emerging healthcare organizations that regard IT infrastructure services as growth serum.  And users, quite understandably, have been signing up to these plans in droves.  Thing is, the providers – who can be of just about any size, from the biggest players to the freshest boutique – don’t quite make the asterisk next to “All You Can Eat” big enough.  Put another way, it’s all you can eat, unless you want to eat more.  If your performance suffers, if your data requirements increase, if your needs grow, well… you’re on your own.

Make no mistake: the typical DaaS or managed services provider – the vendor who won the business by promising to meet user needs at fire sale prices – will invariably recoup their costs and then some by throttling down bandwidth.  In the cloud, it’s not space that’s finite — the scarce/pricey commodity is performance. 

Indeed, as Debra Shinder recently observed in Cloud Computing Administration, If DaaS is looking attractive, it’s important to remember that no solution is ever perfect, and cloud-based virtual desktops also have their down side.  One of the most frequent user complaints whether it’s hosted on premises or in the cloud – is performance.” 

“When you implement DaaS, users are at the whim of your provider and the connection between them,” concurs Ryan McLaughlin, in Search Virtual Desktop“There are no guarantees that your cloud desktop provider will not suffer a disaster or outage at some point, leaving your data inaccessible and your users unable to do their work.  Even excluding the worst-case scenarios, latency is still a regular problem for many, and it can affect work performance with little recourse for customers. Add to that the costs of potential bandwidth increases to handle the extra traffic that comes with a cloud desktop…”

It’s not that users haven’t noticed.  Last July, Enterprise Management Associates (EMA) published a survey of 156 IT pros involved with virtual desktop operations.  The report, “Desktop Virtualization: Emerging Requirements and Optimal Configurations,” highlights some festering issues in the DaaS environment – issues, like network performance, that TechTarget ‘s Bridget Botelho suggests really should be addressed in service-level agreements (SLAs). 

“In EMA’s survey, the biggest issue by far was that DaaS providers lacked the time and personnel to address customer issues,” Botelho notes.  “The other component of DaaS that’s troublesome is application performance management — 45 percent of EMA’s survey respondents said it is a problem,” to which EMA’s Steve Brasen adds, “in your SLA you want to ensure application performance, and you may even want to name specific applications that must meet a certain performance level.”

This, then, is the dicey underside of “all you can eat.” Or to evoke another gastronomic metaphor: in HIPAA hosting, “there’s no such thing as a free lunch.” Hospitals and other healthcare organizations can escape this trap by being discerning IT consumers.  That doesn’t mean controlling appetites (there’s nothing unreasonable or gluttonous about wanting or expecting superior performance); it does mean taking a hard look at the entire cloud environment.

Increasingly, the logical alternative to DaaS – minus the unforeseen performance limitations — is the Infrastructure-as-a-Service (IaaS) model.  Unlike DaaS, IaaS is holistic, accommodating growth (and attendant needs for higher performance) while providing users with more than adequate headroom.  That’s especially relevant in an environment as sensitive and highly regulated as HIPAA hosting.

IaaS rejects the notion that the cloud is strictly about hardware.   Instead, the IaaS model is increasingly focused on application delivery.  No matter what application a healthcare organization is using, a savvy IaaS provider should know how to deliver that app.  Every HIPAA hosting plan should be designed to provide what users need, and it should never be necessary to build from scratch.

A well-oiled IaaS machine – where servers and prefab packages effectively take the place of IT professionals –should deliver 100 percent uptime.  Basic SLAs should provide, at minimum, “semi-managed services.”  That is, the IaaS provider should manage everything from the hosting environment up to the operating system – including every jot and tiddle concerning client privacy and data security.  Customers can be as involved in the application install and management as they choose to be, or request concierge- level service.  With strict HIPAA compliance as a given, the better providers are as comfortable working with customers who have IT departments as with those who don’t.

For disgruntled cloud users – those on the short end of the “all you can eat” cafeteria line — IaaS is more than capable of turning frowns upside down.

Adam Stern is founder and CEO of Infinitely Virtual ( in Los Angeles.